CodeQL documentation
CodeQL resources

CodeQL full CWE coverage

An overview of the full coverage of MITRE’s Common Weakness Enumeration (CWE) for the latest release of CodeQL.

Overview

CWE Language Query id Query name
CWE‑11 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑12 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑13 C# cs/password-in-configuration Password in configuration file
CWE‑14 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑20 C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE‑20 C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE‑20 C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑20 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑20 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑20 C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE‑20 C++ cpp/linux-kernel-no-check-before-unsafe-put-user Linux kernel no check before unsafe_put_user vulnerability detection
CWE‑20 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 C# cs/serialization-check-bypass Serialization check bypass
CWE‑20 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 C# cs/xml/missing-validation Missing XML validation
CWE‑20 C# cs/assembly-path-injection Assembly path injection
CWE‑20 Go go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Go go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Go go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 Go go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 Go go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑20 Go go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Go go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑20 Java java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Java java/overly-large-range Overly permissive regular expression range
CWE‑20 Java java/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑20 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑20 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑20 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑20 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑20 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑20 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑20 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑20 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑20 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑20 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 JavaScript js/overly-large-range Overly permissive regular expression range
CWE‑20 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑20 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑20 JavaScript js/double-escaping Double escaping or unescaping
CWE‑20 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑20 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑20 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑20 JavaScript js/untrusted-data-to-external-api-more-sources Untrusted data passed to external API with additional heuristic sources
CWE‑20 Python py/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑20 Python py/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑20 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 Python py/overly-large-range Overly permissive regular expression range
CWE‑20 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑20 Ruby rb/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Ruby rb/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑20 Ruby rb/regex/badly-anchored-regexp Badly anchored regular expression
CWE‑20 Ruby rb/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑20 Ruby rb/overly-large-range Overly permissive regular expression range
CWE‑20 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE‑20 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑20 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑20 Swift swift/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑20 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE‑22 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑22 C# cs/path-injection Uncontrolled data used in path expression
CWE‑22 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑22 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑22 Go go/path-injection Uncontrolled data used in path expression
CWE‑22 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑22 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑22 Java java/path-injection Uncontrolled data used in path expression
CWE‑22 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑22 Java java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑22 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑22 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑22 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑22 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑22 JavaScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑22 Python py/path-injection Uncontrolled data used in path expression
CWE‑22 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑22 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑22 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE‑22 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE‑22 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑22 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑22 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑23 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑23 C# cs/path-injection Uncontrolled data used in path expression
CWE‑23 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑23 Go go/path-injection Uncontrolled data used in path expression
CWE‑23 Java java/path-injection Uncontrolled data used in path expression
CWE‑23 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑23 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑23 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑23 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑23 Python py/path-injection Uncontrolled data used in path expression
CWE‑23 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑23 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑36 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑36 C# cs/path-injection Uncontrolled data used in path expression
CWE‑36 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑36 Go go/path-injection Uncontrolled data used in path expression
CWE‑36 Java java/path-injection Uncontrolled data used in path expression
CWE‑36 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑36 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑36 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑36 Python py/path-injection Uncontrolled data used in path expression
CWE‑36 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑36 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑73 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑73 C# cs/path-injection Uncontrolled data used in path expression
CWE‑73 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑73 Go go/path-injection Uncontrolled data used in path expression
CWE‑73 Java java/path-injection Uncontrolled data used in path expression
CWE‑73 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑73 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑73 JavaScript js/template-object-injection Template Object Injection
CWE‑73 Python py/path-injection Uncontrolled data used in path expression
CWE‑73 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑73 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑73 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑73 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑73 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑73 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑74 C++ cpp/non-constant-format Non-constant format string
CWE‑74 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑74 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑74 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑74 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑74 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑74 C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE‑74 C# cs/path-injection Uncontrolled data used in path expression
CWE‑74 C# cs/command-line-injection Uncontrolled command line
CWE‑74 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑74 C# cs/web/stored-xss Stored cross-site scripting
CWE‑74 C# cs/web/xss Cross-site scripting
CWE‑74 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑74 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑74 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑74 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑74 C# cs/xml-injection XML injection
CWE‑74 C# cs/code-injection Improper control of generation of code
CWE‑74 C# cs/resource-injection Resource injection
CWE‑74 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑74 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑74 C# cs/xml/xpath-injection XPath injection
CWE‑74 C# cs/web/disabled-header-checking Header checking disabled
CWE‑74 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑74 Go go/path-injection Uncontrolled data used in path expression
CWE‑74 Go go/command-injection Command built from user-controlled sources
CWE‑74 Go go/stored-command Command built from stored data
CWE‑74 Go go/reflected-xss Reflected cross-site scripting
CWE‑74 Go go/stored-xss Stored cross-site scripting
CWE‑74 Go go/sql-injection Database query built from user-controlled sources
CWE‑74 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑74 Go go/xml/xpath-injection XPath injection
CWE‑74 Go go/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Go go/dsn-injection SQL Data-source URI built from user-controlled sources
CWE‑74 Go go/dsn-injection-local SQL Data-source URI built from local user-controlled sources
CWE‑74 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑74 Java java/jndi-injection JNDI lookup with user-controlled name
CWE‑74 Java java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE‑74 Java java/relative-path-command Executing a command with a relative path
CWE‑74 Java java/command-line-injection Uncontrolled command line
CWE‑74 Java java/command-line-injection-local Local-user-controlled command line
CWE‑74 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑74 Java java/android/webview-addjavascriptinterface Access Java object methods through JavaScript exposure
CWE‑74 Java java/android/websettings-javascript-enabled Android WebView JavaScript settings
CWE‑74 Java java/xss Cross-site scripting
CWE‑74 Java java/xss-local Cross-site scripting from local source
CWE‑74 Java java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE‑74 Java java/sql-injection Query built from user-controlled sources
CWE‑74 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑74 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Java java/android/arbitrary-apk-installation Android APK installation
CWE‑74 Java java/groovy-injection Groovy Language injection
CWE‑74 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑74 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑74 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑74 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑74 Java java/server-side-template-injection Server-side template injection
CWE‑74 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑74 Java java/http-response-splitting HTTP response splitting
CWE‑74 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑74 Java java/tainted-format-string Use of externally-controlled format string
CWE‑74 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑74 Java java/xml/xpath-injection XPath injection
CWE‑74 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑74 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑74 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑74 Java java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE‑74 Java java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE‑74 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑74 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑74 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑74 Java java/beanshell-injection BeanShell injection
CWE‑74 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑74 Java java/jshell-injection JShell injection
CWE‑74 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑74 Java java/jython-injection Injection in Jython
CWE‑74 Java java/unsafe-eval Injection in Java Script Engine
CWE‑74 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑74 Java java/spring-view-manipulation Spring View Manipulation
CWE‑74 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑74 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑74 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑74 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑74 JavaScript js/template-object-injection Template Object Injection
CWE‑74 JavaScript js/command-line-injection Uncontrolled command line
CWE‑74 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑74 JavaScript js/second-order-command-line-injection Second order command injection
CWE‑74 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑74 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑74 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑74 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑74 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑74 JavaScript js/stored-xss Stored cross-site scripting
CWE‑74 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑74 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑74 JavaScript js/xss Client-side cross-site scripting
CWE‑74 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑74 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑74 JavaScript js/code-injection Code injection
CWE‑74 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑74 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑74 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑74 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑74 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑74 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑74 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑74 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑74 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑74 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑74 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑74 JavaScript js/xpath-injection XPath injection
CWE‑74 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑74 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑74 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑74 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑74 JavaScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE‑74 JavaScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE‑74 JavaScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE‑74 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑74 JavaScript js/tainted-format-string-more-sources Use of externally-controlled format string with additional heuristic sources
CWE‑74 JavaScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE‑74 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑74 Python py/path-injection Uncontrolled data used in path expression
CWE‑74 Python py/command-line-injection Uncontrolled command line
CWE‑74 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑74 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑74 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑74 Python py/sql-injection SQL query built from user-controlled sources
CWE‑74 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑74 Python py/code-injection Code injection
CWE‑74 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑74 Python py/template-injection Server Side Template Injection
CWE‑74 Python py/paramiko-command-injection RCE with user provided command with paramiko ssh client
CWE‑74 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE‑74 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑74 Python py/header-injection HTTP Header Injection
CWE‑74 Python py/nosql-injection NoSQL Injection
CWE‑74 Ruby rb/ldap-injection LDAP Injection
CWE‑74 Ruby rb/server-side-template-injection Server-side template injection
CWE‑74 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE‑74 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑74 Ruby rb/command-line-injection Uncontrolled command line
CWE‑74 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑74 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑74 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑74 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE‑74 Ruby rb/stored-xss Stored cross-site scripting
CWE‑74 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑74 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE‑74 Ruby rb/code-injection Code injection
CWE‑74 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑74 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑74 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑74 Ruby rb/tainted-format-string Use of externally-controlled format string
CWE‑74 Swift swift/command-line-injection System command built from user-controlled sources
CWE‑74 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑74 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑74 Swift swift/sql-injection Database query built from user-controlled sources
CWE‑74 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑74 Swift swift/uncontrolled-format-string Uncontrolled format string
CWE‑74 Swift swift/predicate-injection Predicate built from user-controlled sources
CWE‑77 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑77 C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE‑77 C# cs/command-line-injection Uncontrolled command line
CWE‑77 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑77 Go go/command-injection Command built from user-controlled sources
CWE‑77 Go go/stored-command Command built from stored data
CWE‑77 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑77 Java java/relative-path-command Executing a command with a relative path
CWE‑77 Java java/command-line-injection Uncontrolled command line
CWE‑77 Java java/command-line-injection-local Local-user-controlled command line
CWE‑77 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑77 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑77 Java java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE‑77 Java java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE‑77 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑77 JavaScript js/command-line-injection Uncontrolled command line
CWE‑77 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑77 JavaScript js/second-order-command-line-injection Second order command injection
CWE‑77 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑77 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑77 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑77 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑77 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑77 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑77 JavaScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE‑77 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑77 Python py/command-line-injection Uncontrolled command line
CWE‑77 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑77 Ruby rb/command-line-injection Uncontrolled command line
CWE‑77 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑77 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑77 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑77 Swift swift/command-line-injection System command built from user-controlled sources
CWE‑78 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑78 C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE‑78 C# cs/command-line-injection Uncontrolled command line
CWE‑78 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑78 Go go/command-injection Command built from user-controlled sources
CWE‑78 Go go/stored-command Command built from stored data
CWE‑78 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑78 Java java/relative-path-command Executing a command with a relative path
CWE‑78 Java java/command-line-injection Uncontrolled command line
CWE‑78 Java java/command-line-injection-local Local-user-controlled command line
CWE‑78 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑78 Java java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE‑78 Java java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE‑78 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑78 JavaScript js/command-line-injection Uncontrolled command line
CWE‑78 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑78 JavaScript js/second-order-command-line-injection Second order command injection
CWE‑78 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑78 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑78 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑78 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑78 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑78 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑78 JavaScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE‑78 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑78 Python py/command-line-injection Uncontrolled command line
CWE‑78 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑78 Ruby rb/command-line-injection Uncontrolled command line
CWE‑78 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑78 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑78 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑78 Swift swift/command-line-injection System command built from user-controlled sources
CWE‑79 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑79 C# cs/web/stored-xss Stored cross-site scripting
CWE‑79 C# cs/web/xss Cross-site scripting
CWE‑79 Go go/reflected-xss Reflected cross-site scripting
CWE‑79 Go go/stored-xss Stored cross-site scripting
CWE‑79 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑79 Java java/android/webview-addjavascriptinterface Access Java object methods through JavaScript exposure
CWE‑79 Java java/android/websettings-javascript-enabled Android WebView JavaScript settings
CWE‑79 Java java/xss Cross-site scripting
CWE‑79 Java java/xss-local Cross-site scripting from local source
CWE‑79 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑79 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑79 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑79 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑79 JavaScript js/stored-xss Stored cross-site scripting
CWE‑79 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑79 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑79 JavaScript js/xss Client-side cross-site scripting
CWE‑79 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑79 JavaScript js/code-injection Code injection
CWE‑79 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑79 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑79 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑79 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑79 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑79 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑79 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑79 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑79 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑79 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑79 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑79 JavaScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE‑79 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑79 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑79 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑79 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑79 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE‑79 Python py/header-injection HTTP Header Injection
CWE‑79 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE‑79 Ruby rb/stored-xss Stored cross-site scripting
CWE‑79 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑79 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑79 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑79 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑79 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑80 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑80 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑80 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑80 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑80 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑88 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑88 C# cs/command-line-injection Uncontrolled command line
CWE‑88 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑88 Java java/relative-path-command Executing a command with a relative path
CWE‑88 Java java/command-line-injection Uncontrolled command line
CWE‑88 Java java/command-line-injection-local Local-user-controlled command line
CWE‑88 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑88 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑88 JavaScript js/command-line-injection Uncontrolled command line
CWE‑88 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑88 JavaScript js/second-order-command-line-injection Second order command injection
CWE‑88 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑88 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑88 JavaScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE‑88 Python py/command-line-injection Uncontrolled command line
CWE‑88 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑88 Ruby rb/command-line-injection Uncontrolled command line
CWE‑88 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑88 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑88 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑88 Swift swift/command-line-injection System command built from user-controlled sources
CWE‑89 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑89 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑89 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑89 Go go/sql-injection Database query built from user-controlled sources
CWE‑89 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑89 Java java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE‑89 Java java/sql-injection Query built from user-controlled sources
CWE‑89 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑89 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑89 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑89 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑89 JavaScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE‑89 Python py/sql-injection SQL query built from user-controlled sources
CWE‑89 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE‑89 Swift swift/sql-injection Database query built from user-controlled sources
CWE‑90 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑90 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑90 Go go/ldap-injection LDAP query built from user-controlled sources
CWE‑90 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑90 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑90 JavaScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE‑90 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑90 Ruby rb/ldap-injection LDAP Injection
CWE‑91 C# cs/xml-injection XML injection
CWE‑91 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑91 C# cs/xml/xpath-injection XPath injection
CWE‑91 Go go/xml/xpath-injection XPath injection
CWE‑91 Java java/xml/xpath-injection XPath injection
CWE‑91 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑91 JavaScript js/xpath-injection XPath injection
CWE‑91 JavaScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE‑91 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑91 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑91 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE‑93 C# cs/web/disabled-header-checking Header checking disabled
CWE‑93 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑93 Java java/http-response-splitting HTTP response splitting
CWE‑93 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑93 Python py/header-injection HTTP Header Injection
CWE‑94 C# cs/code-injection Improper control of generation of code
CWE‑94 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑94 Java java/android/arbitrary-apk-installation Android APK installation
CWE‑94 Java java/groovy-injection Groovy Language injection
CWE‑94 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑94 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑94 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑94 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑94 Java java/server-side-template-injection Server-side template injection
CWE‑94 Java java/beanshell-injection BeanShell injection
CWE‑94 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑94 Java java/jshell-injection JShell injection
CWE‑94 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑94 Java java/jython-injection Injection in Jython
CWE‑94 Java java/unsafe-eval Injection in Java Script Engine
CWE‑94 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑94 Java java/spring-view-manipulation Spring View Manipulation
CWE‑94 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑94 JavaScript js/template-object-injection Template Object Injection
CWE‑94 JavaScript js/code-injection Code injection
CWE‑94 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑94 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑94 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑94 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑94 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑94 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑94 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑94 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑94 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑94 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑94 Python py/code-injection Code injection
CWE‑94 Ruby rb/server-side-template-injection Server-side template injection
CWE‑94 Ruby rb/code-injection Code injection
CWE‑94 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑94 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑94 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑95 C# cs/code-injection Improper control of generation of code
CWE‑95 Java java/jython-injection Injection in Jython
CWE‑95 JavaScript js/code-injection Code injection
CWE‑95 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑95 Python py/code-injection Code injection
CWE‑95 Ruby rb/code-injection Code injection
CWE‑95 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑95 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑96 C# cs/code-injection Improper control of generation of code
CWE‑99 C# cs/path-injection Uncontrolled data used in path expression
CWE‑99 C# cs/resource-injection Resource injection
CWE‑99 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑99 Go go/path-injection Uncontrolled data used in path expression
CWE‑99 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑99 Python py/path-injection Uncontrolled data used in path expression
CWE‑99 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑99 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑112 C# cs/xml/missing-validation Missing XML validation
CWE‑113 C# cs/web/disabled-header-checking Header checking disabled
CWE‑113 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑113 Java java/http-response-splitting HTTP response splitting
CWE‑113 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑113 Python py/header-injection HTTP Header Injection
CWE‑114 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑114 C# cs/assembly-path-injection Assembly path injection
CWE‑116 C# cs/web/stored-xss Stored cross-site scripting
CWE‑116 C# cs/web/xss Cross-site scripting
CWE‑116 C# cs/log-forging Log entries created from user input
CWE‑116 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑116 Go go/reflected-xss Reflected cross-site scripting
CWE‑116 Go go/stored-xss Stored cross-site scripting
CWE‑116 Go go/log-injection Log entries created from user input
CWE‑116 Java java/log-injection Log Injection
CWE‑116 JavaScript js/angular/disabling-sce Disabling SCE
CWE‑116 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑116 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑116 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑116 JavaScript js/stored-xss Stored cross-site scripting
CWE‑116 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑116 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑116 JavaScript js/xss Client-side cross-site scripting
CWE‑116 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑116 JavaScript js/code-injection Code injection
CWE‑116 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑116 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑116 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑116 JavaScript js/double-escaping Double escaping or unescaping
CWE‑116 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑116 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑116 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑116 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑116 JavaScript js/log-injection Log injection
CWE‑116 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑116 JavaScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE‑116 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑116 JavaScript js/log-injection-more-sources Log injection with additional heuristic sources
CWE‑116 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑116 Python py/code-injection Code injection
CWE‑116 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑116 Python py/log-injection Log Injection
CWE‑116 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE‑116 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE‑116 Ruby rb/stored-xss Stored cross-site scripting
CWE‑116 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑116 Ruby rb/code-injection Code injection
CWE‑116 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑116 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE‑116 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑116 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑116 Ruby rb/log-injection Log injection
CWE‑116 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE‑117 C# cs/log-forging Log entries created from user input
CWE‑117 Go go/log-injection Log entries created from user input
CWE‑117 Java java/log-injection Log Injection
CWE‑117 JavaScript js/log-injection Log injection
CWE‑117 JavaScript js/log-injection-more-sources Log injection with additional heuristic sources
CWE‑117 Python py/log-injection Log Injection
CWE‑117 Ruby rb/log-injection Log injection
CWE‑118 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑118 C++ cpp/double-free Potential double free
CWE‑118 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑118 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑118 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑118 C++ cpp/overflow-destination Copy function using source size
CWE‑118 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑118 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑118 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑118 C++ cpp/use-after-free Potential use after free
CWE‑118 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑118 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑118 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑118 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑118 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑118 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑118 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑118 C++ cpp/overrun-write Overrunning write
CWE‑118 C++ cpp/badly-bounded-write Badly bounded write
CWE‑118 C++ cpp/overrunning-write Potentially overrunning write
CWE‑118 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑118 C++ cpp/unbounded-write Unbounded write
CWE‑118 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑118 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑118 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑118 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑118 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑118 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑118 C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE‑118 C++ cpp/experimental-double-free Errors When Double Free
CWE‑118 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑118 C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE‑118 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑118 C++ cpp/buffer-access-with-incorrect-length-value Buffer access with incorrect length value
CWE‑118 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑118 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑119 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑119 C++ cpp/double-free Potential double free
CWE‑119 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑119 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑119 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑119 C++ cpp/overflow-destination Copy function using source size
CWE‑119 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑119 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑119 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑119 C++ cpp/use-after-free Potential use after free
CWE‑119 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑119 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑119 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑119 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑119 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑119 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑119 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑119 C++ cpp/overrun-write Overrunning write
CWE‑119 C++ cpp/badly-bounded-write Badly bounded write
CWE‑119 C++ cpp/overrunning-write Potentially overrunning write
CWE‑119 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑119 C++ cpp/unbounded-write Unbounded write
CWE‑119 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑119 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑119 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑119 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑119 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑119 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑119 C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE‑119 C++ cpp/experimental-double-free Errors When Double Free
CWE‑119 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑119 C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE‑119 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑119 C++ cpp/buffer-access-with-incorrect-length-value Buffer access with incorrect length value
CWE‑119 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑119 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑120 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑120 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑120 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑120 C++ cpp/badly-bounded-write Badly bounded write
CWE‑120 C++ cpp/overrunning-write Potentially overrunning write
CWE‑120 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑120 C++ cpp/unbounded-write Unbounded write
CWE‑120 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑120 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑120 C++ cpp/memory-unsafe-function-scan Scanf function without a specified length
CWE‑120 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑121 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑121 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑122 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑122 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑122 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑122 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑122 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑125 C++ cpp/offset-use-before-range-check Array offset used before range check
CWE‑125 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑125 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑125 C++ cpp/dangerous-use-convert-function Dangerous use convert function.
CWE‑125 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑126 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑126 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑128 C++ cpp/signed-overflow-check Signed overflow check
CWE‑128 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑129 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑129 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑129 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑129 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑129 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑129 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑129 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑131 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑131 C++ cpp/overflow-destination Copy function using source size
CWE‑131 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑131 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑131 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑131 C++ cpp/overrun-write Overrunning write
CWE‑131 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑134 C++ cpp/non-constant-format Non-constant format string
CWE‑134 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑134 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑134 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑134 Java java/tainted-format-string Use of externally-controlled format string
CWE‑134 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑134 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑134 JavaScript js/tainted-format-string-more-sources Use of externally-controlled format string with additional heuristic sources
CWE‑134 Ruby rb/tainted-format-string Use of externally-controlled format string
CWE‑134 Swift swift/uncontrolled-format-string Uncontrolled format string
CWE‑135 Swift swift/string-length-conflation String length conflation
CWE‑170 C++ cpp/improper-null-termination Potential improper null termination
CWE‑170 C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE‑172 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑172 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑176 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑176 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑178 JavaScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE‑179 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑179 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑180 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑180 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑183 Go go/cors-misconfiguration CORS misconfiguration
CWE‑183 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑183 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑183 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑184 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑184 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑185 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑185 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑185 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑185 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE‑185 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE‑186 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑186 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑186 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE‑186 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE‑190 C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE‑190 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑190 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑190 C++ cpp/signed-overflow-check Signed overflow check
CWE‑190 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑190 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑190 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑190 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑190 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑190 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑190 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑190 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑190 C++ cpp/dangerous-use-of-transformation-after-operation Dangerous use of transformation after operation.
CWE‑190 C++ cpp/signed-bit-field Possible signed bit-field member
CWE‑190 C# cs/loss-of-precision Possible loss of precision
CWE‑190 Go go/allocation-size-overflow Size computation for allocation may overflow
CWE‑190 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑190 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑190 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑190 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑190 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑190 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑190 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑190 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑191 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑191 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑191 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑191 C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE‑191 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑191 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑191 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑191 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑193 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑193 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE‑193 Go go/index-out-of-bounds Off-by-one comparison against length
CWE‑193 Java java/index-out-of-bounds Array index out of bounds
CWE‑193 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑197 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑197 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑197 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑197 C# cs/loss-of-precision Possible loss of precision
CWE‑197 Go go/shift-out-of-range Shift out of range
CWE‑197 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑197 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑197 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑197 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑197 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑197 JavaScript js/shift-out-of-range Shift out of range
CWE‑200 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑200 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑200 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑200 C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE‑200 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑200 C++ cpp/private-cleartext-write Exposure of private information
CWE‑200 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑200 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑200 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑200 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑200 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑200 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑200 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑200 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑200 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑200 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE‑200 Java java/android/websettings-allow-content-access Android WebView settings allows access to content links
CWE‑200 Java java/android/websettings-file-access Android WebSettings file access
CWE‑200 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑200 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑200 Java java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE‑200 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑200 Java java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE‑200 Java java/sensitive-android-file-leak Leaking sensitive Android file
CWE‑200 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑200 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑200 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑200 Java java/server-directory-listing Directories and files exposure
CWE‑200 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑200 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑200 JavaScript js/file-access-to-http File data in outbound network request
CWE‑200 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑200 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑200 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑200 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑200 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑200 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑200 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑200 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE‑200 Python py/stack-trace-exposure Information exposure through an exception
CWE‑200 Python py/flask-debug Flask app is run in debug mode
CWE‑200 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑200 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑200 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE‑200 Python py/timing-attack-against-hash Timing attack against Hash
CWE‑200 Python py/timing-attack-against-header-value Timing attack against header value
CWE‑200 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE‑200 Python py/timing-attack-sensitive-info Timing attack against secret
CWE‑200 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE‑200 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑200 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑200 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE‑200 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑201 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑201 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑203 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE‑203 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑203 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑203 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑203 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE‑203 Python py/timing-attack-against-hash Timing attack against Hash
CWE‑203 Python py/timing-attack-against-header-value Timing attack against header value
CWE‑203 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE‑203 Python py/timing-attack-sensitive-info Timing attack against secret
CWE‑208 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑208 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑208 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑208 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE‑208 Python py/timing-attack-against-hash Timing attack against Hash
CWE‑208 Python py/timing-attack-against-header-value Timing attack against header value
CWE‑208 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE‑208 Python py/timing-attack-sensitive-info Timing attack against secret
CWE‑209 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑209 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑209 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑209 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑209 Python py/stack-trace-exposure Information exposure through an exception
CWE‑209 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE‑215 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑215 Python py/flask-debug Flask app is run in debug mode
CWE‑216 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑219 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑221 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑221 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑221 Java java/overly-general-catch Overly-general catch clause
CWE‑221 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑221 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑227 C++ cpp/double-free Potential double free
CWE‑227 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑227 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑227 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑227 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑227 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑227 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑227 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑227 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑227 C++ cpp/twice-locked Mutex locked twice
CWE‑227 C++ cpp/unreleased-lock Lock may not be released
CWE‑227 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑227 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑227 C++ cpp/experimental-double-free Errors When Double Free
CWE‑227 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑227 C++ cpp/double-release Errors When Double Release
CWE‑227 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑227 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑227 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑227 Java java/ejb/container-interference EJB interferes with container operation
CWE‑227 Java java/ejb/file-io EJB uses file input/output
CWE‑227 Java java/ejb/graphics EJB uses graphics
CWE‑227 Java java/ejb/native-code EJB uses native code
CWE‑227 Java java/ejb/reflection EJB uses reflection
CWE‑227 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑227 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑227 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑227 Java java/ejb/server-socket EJB uses server socket
CWE‑227 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑227 Java java/ejb/synchronization EJB uses synchronization
CWE‑227 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑227 Java java/ejb/threads EJB uses threads
CWE‑227 Java java/missing-call-to-super-clone Missing super clone
CWE‑227 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑227 Java java/unreleased-lock Unreleased lock
CWE‑227 Java java/missing-super-finalize Finalizer inconsistency
CWE‑227 Java java/missing-format-argument Missing format argument
CWE‑227 Java java/unused-format-argument Unused format argument
CWE‑227 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑227 Java java/empty-finalizer Empty body of finalizer
CWE‑227 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑227 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑227 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑227 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑227 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑227 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑227 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑227 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑227 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑227 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE‑228 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑228 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑233 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑233 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑234 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑234 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑242 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑243 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑247 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑247 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑248 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑248 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑248 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑248 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑248 JavaScript js/server-crash Server crash
CWE‑250 JavaScript js/remote-property-injection Remote property injection
CWE‑250 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑252 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑252 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑252 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑252 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑252 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑252 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑252 C# cs/unchecked-return-value Unchecked return value
CWE‑252 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑252 Java java/return-value-ignored Method result ignored
CWE‑252 Python py/ignored-return-value Ignored return value
CWE‑253 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑253 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑253 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑256 C# cs/password-in-configuration Password in configuration file
CWE‑256 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑256 Java java/password-in-configuration Password in configuration file
CWE‑256 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑258 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑258 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑259 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑259 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑259 Go go/hardcoded-credentials Hard-coded credentials
CWE‑259 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑259 Python py/hardcoded-credentials Hard-coded credentials
CWE‑259 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑259 Swift swift/constant-password Constant password
CWE‑260 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑260 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑260 C# cs/password-in-configuration Password in configuration file
CWE‑260 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑260 Java java/password-in-configuration Password in configuration file
CWE‑260 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑260 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑266 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑266 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑269 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑269 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑269 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑269 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑269 JavaScript js/remote-property-injection Remote property injection
CWE‑269 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑271 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑271 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑273 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑273 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑284 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑284 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑284 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑284 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑284 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑284 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑284 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑284 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑284 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑284 C# cs/password-in-configuration Password in configuration file
CWE‑284 C# cs/web/missing-function-level-access-control Missing function level access control
CWE‑284 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑284 C# cs/session-reuse Failure to abandon session
CWE‑284 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑284 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑284 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑284 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑284 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑284 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑284 Go go/email-injection Email content injection
CWE‑284 Go go/hardcoded-credentials Hard-coded credentials
CWE‑284 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑284 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑284 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑284 Go go/cors-misconfiguration CORS misconfiguration
CWE‑284 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑284 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑284 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑284 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑284 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑284 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑284 Java java/insecure-basic-auth Insecure basic authentication
CWE‑284 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑284 Java java/world-writable-file-read Reading from a world writable file
CWE‑284 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑284 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑284 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑284 Java java/hardcoded-password-field Hard-coded password field
CWE‑284 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑284 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑284 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑284 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑284 Java java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE‑284 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑284 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑284 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑284 Java java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE‑284 Java java/android/intent-redirection Android Intent redirection
CWE‑284 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑284 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑284 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑284 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑284 Java java/password-in-configuration Password in configuration file
CWE‑284 Java java/incorrect-url-verification Incorrect URL verification
CWE‑284 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑284 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑284 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑284 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑284 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑284 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑284 JavaScript js/session-fixation Failure to abandon session
CWE‑284 JavaScript js/remote-property-injection Remote property injection
CWE‑284 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑284 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑284 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑284 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑284 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑284 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑284 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑284 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑284 JavaScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE‑284 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑284 Python py/overly-permissive-file Overly permissive file permissions
CWE‑284 Python py/hardcoded-credentials Hard-coded credentials
CWE‑284 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE‑284 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑284 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑284 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE‑284 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE‑284 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑284 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE‑284 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE‑284 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑284 Swift swift/constant-password Constant password
CWE‑284 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑285 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑285 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑285 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑285 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑285 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑285 C# cs/web/missing-function-level-access-control Missing function level access control
CWE‑285 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑285 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑285 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑285 Java java/world-writable-file-read Reading from a world writable file
CWE‑285 Java java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE‑285 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑285 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑285 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑285 Java java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE‑285 Java java/android/intent-redirection Android Intent redirection
CWE‑285 Java java/incorrect-url-verification Incorrect URL verification
CWE‑285 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑285 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑285 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑285 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑285 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑285 Python py/overly-permissive-file Overly permissive file permissions
CWE‑285 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE‑285 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE‑287 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑287 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑287 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑287 C# cs/password-in-configuration Password in configuration file
CWE‑287 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑287 C# cs/session-reuse Failure to abandon session
CWE‑287 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑287 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑287 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑287 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑287 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑287 Go go/email-injection Email content injection
CWE‑287 Go go/hardcoded-credentials Hard-coded credentials
CWE‑287 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑287 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑287 Java java/insecure-basic-auth Insecure basic authentication
CWE‑287 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑287 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑287 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑287 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑287 Java java/hardcoded-password-field Hard-coded password field
CWE‑287 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑287 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑287 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑287 Java java/password-in-configuration Password in configuration file
CWE‑287 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑287 JavaScript js/session-fixation Failure to abandon session
CWE‑287 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑287 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑287 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑287 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑287 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑287 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑287 JavaScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE‑287 Python py/hardcoded-credentials Hard-coded credentials
CWE‑287 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE‑287 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑287 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑287 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE‑287 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE‑287 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑287 Swift swift/constant-password Constant password
CWE‑287 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑290 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑290 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑290 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑290 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑290 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑290 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑290 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑290 JavaScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE‑290 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE‑295 C++ cpp/certificate-result-conflation Certificate result conflation
CWE‑295 C++ cpp/certificate-not-checked Certificate not checked
CWE‑295 Go go/disabled-certificate-check Disabled TLS certificate check
CWE‑295 Java java/android/missing-certificate-pinning Android missing certificate pinning
CWE‑295 Java java/improper-webview-certificate-validation Android WebView that accepts all certificates
CWE‑295 Java java/insecure-trustmanager TrustManager that accepts all certificates
CWE‑295 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑295 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑295 Java java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE‑295 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑295 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑295 Java java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE‑295 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑295 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE‑295 Python py/request-without-cert-validation Request without certificate validation
CWE‑295 Ruby rb/request-without-cert-validation Request without certificate validation
CWE‑297 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑297 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑297 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑297 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑297 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑299 Java java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE‑300 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑300 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑300 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑307 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑311 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑311 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑311 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑311 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑311 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑311 C# cs/password-in-configuration Password in configuration file
CWE‑311 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑311 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑311 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑311 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑311 Java java/android/backup-enabled Application backup allowed
CWE‑311 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑311 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑311 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑311 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑311 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑311 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑311 Java java/non-https-url Failure to use HTTPS URLs
CWE‑311 Java java/non-ssl-connection Failure to use SSL
CWE‑311 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑311 Java java/insecure-basic-auth Insecure basic authentication
CWE‑311 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑311 Java java/insecure-cookie Failure to use secure cookies
CWE‑311 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑311 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑311 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑311 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑311 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑311 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑311 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑311 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑311 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑311 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE‑311 Python py/insecure-cookie Failure to use secure cookies
CWE‑311 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑311 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑311 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑311 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE‑311 Swift swift/cleartext-transmission Cleartext transmission of sensitive information
CWE‑311 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑311 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE‑312 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑312 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑312 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑312 C# cs/password-in-configuration Password in configuration file
CWE‑312 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑312 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑312 Java java/android/backup-enabled Application backup allowed
CWE‑312 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑312 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑312 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑312 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑312 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑312 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑312 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑312 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑312 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑312 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑312 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑312 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑312 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑312 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑312 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑312 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE‑312 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑312 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE‑313 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑313 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑313 C# cs/password-in-configuration Password in configuration file
CWE‑313 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑313 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑315 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑315 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑315 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑315 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑315 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑315 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑319 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑319 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑319 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑319 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑319 Java java/non-https-url Failure to use HTTPS URLs
CWE‑319 Java java/non-ssl-connection Failure to use SSL
CWE‑319 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑319 Java java/insecure-basic-auth Insecure basic authentication
CWE‑319 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑319 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑319 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑319 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑319 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑319 Swift swift/cleartext-transmission Cleartext transmission of sensitive information
CWE‑321 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑321 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑321 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑321 Go go/hardcoded-credentials Hard-coded credentials
CWE‑321 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑321 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑321 Python py/hardcoded-credentials Hard-coded credentials
CWE‑321 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑321 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑322 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑326 C++ cpp/boost/tls-settings-misconfiguration Boost_asio TLS Settings Misconfiguration
CWE‑326 C++ cpp/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE‑326 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE‑326 Go go/weak-crypto-key Use of a weak cryptographic key
CWE‑326 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑326 Java java/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE‑326 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑326 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑326 JavaScript js/insufficient-key-size Use of a weak cryptographic key
CWE‑326 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑326 Python py/weak-crypto-key Use of weak cryptographic key
CWE‑326 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑326 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑327 C++ cpp/boost/use-of-deprecated-hardcoded-security-protocol boost::asio Use of deprecated hardcoded Protocol
CWE‑327 C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑327 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑327 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE‑327 C# cs/insecure-sql-connection Insecure SQL connection
CWE‑327 C# cs/ecb-encryption Encryption using ECB
CWE‑327 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑327 C# cs/weak-encryption Weak encryption
CWE‑327 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑327 Go go/insecure-tls Insecure TLS configuration
CWE‑327 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑327 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑327 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑327 Java java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE‑327 Java java/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑327 Java java/unsafe-tls-version Unsafe TLS version
CWE‑327 Java java/hash-without-salt Use of a hash function without a salt
CWE‑327 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑327 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑327 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE‑327 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE‑327 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑327 Python py/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption.
CWE‑327 Ruby rb/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑327 Swift swift/ecb-encryption Encryption using ECB
CWE‑327 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑327 Swift swift/constant-salt Use of constant salts
CWE‑327 Swift swift/insufficient-hash-iterations Insufficient hash iterations
CWE‑328 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑328 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑328 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑328 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑328 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑328 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑329 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑329 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE‑330 C# cs/random-used-once Random used only once
CWE‑330 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑330 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑330 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑330 C# cs/insecure-randomness Insecure randomness
CWE‑330 Go go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑330 Go go/hardcoded-credentials Hard-coded credentials
CWE‑330 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑330 Java java/random-used-once Random used only once
CWE‑330 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑330 Java java/predictable-seed Use of a predictable seed in a secure random number generator
CWE‑330 Java java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑330 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑330 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑330 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑330 Java java/hardcoded-password-field Hard-coded password field
CWE‑330 JavaScript js/insecure-randomness Insecure randomness
CWE‑330 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑330 JavaScript js/predictable-token Predictable token
CWE‑330 Python py/hardcoded-credentials Hard-coded credentials
CWE‑330 Python py/insecure-randomness Insecure randomness
CWE‑330 Python py/predictable-token Predictable token
CWE‑330 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑330 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE‑330 Swift swift/constant-password Constant password
CWE‑330 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑335 C# cs/random-used-once Random used only once
CWE‑335 Java java/random-used-once Random used only once
CWE‑335 Java java/predictable-seed Use of a predictable seed in a secure random number generator
CWE‑337 Java java/predictable-seed Use of a predictable seed in a secure random number generator
CWE‑338 C# cs/insecure-randomness Insecure randomness
CWE‑338 Go go/insecure-randomness Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑338 Java java/jhipster-prng Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑338 JavaScript js/insecure-randomness Insecure randomness
CWE‑338 Python py/insecure-randomness Insecure randomness
CWE‑340 JavaScript js/predictable-token Predictable token
CWE‑340 Python py/predictable-token Predictable token
CWE‑344 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑344 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑344 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑344 Go go/hardcoded-credentials Hard-coded credentials
CWE‑344 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑344 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑344 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑344 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑344 Java java/hardcoded-password-field Hard-coded password field
CWE‑344 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑344 Python py/hardcoded-credentials Hard-coded credentials
CWE‑344 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑344 Swift swift/constant-password Constant password
CWE‑344 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑345 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑345 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑345 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑345 Go go/cors-misconfiguration CORS misconfiguration
CWE‑345 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑345 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑345 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑345 Java java/ip-address-spoofing IP address spoofing
CWE‑345 Java java/jsonp-injection JSONP Injection
CWE‑345 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑345 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑345 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑345 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑345 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑345 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE‑345 Python py/ip-address-spoofing IP address spoofing
CWE‑345 Ruby rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑346 Go go/cors-misconfiguration CORS misconfiguration
CWE‑346 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑346 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑346 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑347 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑347 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑347 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE‑348 Java java/ip-address-spoofing IP address spoofing
CWE‑348 Python py/ip-address-spoofing IP address spoofing
CWE‑350 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑350 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑352 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑352 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑352 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑352 Java java/jsonp-injection JSONP Injection
CWE‑352 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑352 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑352 Ruby rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑359 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑359 C++ cpp/private-cleartext-write Exposure of private information
CWE‑359 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑359 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑359 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑359 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑359 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑359 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑359 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑359 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑359 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑359 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑359 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑359 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑362 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑362 C++ cpp/linux-kernel-double-fetch-vulnerability Linux kernel double-fetch vulnerability detection
CWE‑362 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑362 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑362 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE‑362 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE‑362 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑362 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑362 JavaScript js/file-system-race Potential file system race condition
CWE‑366 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑367 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑367 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑367 JavaScript js/file-system-race Potential file system race condition
CWE‑369 C++ cpp/divide-by-zero-using-return-value Divide by zero using return value
CWE‑369 Go go/divide-by-zero Divide by zero
CWE‑377 C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE‑377 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑377 Python py/insecure-temporary-file Insecure temporary file
CWE‑378 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑382 Java java/ejb/container-interference EJB interferes with container operation
CWE‑382 Java java/jvm-exit Forcible JVM termination
CWE‑383 Java java/ejb/threads EJB uses threads
CWE‑384 C# cs/session-reuse Failure to abandon session
CWE‑384 JavaScript js/session-fixation Failure to abandon session
CWE‑390 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑390 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑390 Python py/empty-except Empty except
CWE‑391 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑391 Java java/discarded-exception Discarded exception
CWE‑391 Java java/ignored-error-status-of-call Ignored error status of call
CWE‑395 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑396 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑396 Java java/overly-general-catch Overly-general catch clause
CWE‑396 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑398 C++ cpp/unused-local-variable Unused local variable
CWE‑398 C++ cpp/unused-static-function Unused static function
CWE‑398 C++ cpp/unused-static-variable Unused static variable
CWE‑398 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑398 C++ cpp/dead-code-function Function is never called
CWE‑398 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑398 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑398 C++ cpp/missing-null-test Returned pointer not checked
CWE‑398 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑398 C++ cpp/fixme-comment FIXME comment
CWE‑398 C++ cpp/todo-comment TODO comment
CWE‑398 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑398 C++ cpp/useless-expression Expression has no effect
CWE‑398 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑398 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑398 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑398 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑398 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑398 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑398 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑398 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑398 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑398 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑398 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑398 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑398 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑398 C# cs/todo-comment TODO comment
CWE‑398 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑398 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑398 C# cs/unused-reftype Dead reference types
CWE‑398 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑398 C# cs/unused-field Unused field
CWE‑398 C# cs/unused-method Unused method
CWE‑398 C# cs/useless-cast-to-self Cast to same type
CWE‑398 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑398 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑398 C# cs/useless-type-test Useless type test
CWE‑398 C# cs/useless-upcast Useless upcast
CWE‑398 C# cs/empty-collection Container contents are never initialized
CWE‑398 C# cs/unused-collection Container contents are never accessed
CWE‑398 C# cs/empty-lock-statement Empty lock statement
CWE‑398 C# cs/linq/useless-select Redundant Select
CWE‑398 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑398 Go go/useless-assignment-to-field Useless assignment to field
CWE‑398 Go go/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Go go/duplicate-branches Duplicate 'if' branches
CWE‑398 Go go/duplicate-condition Duplicate 'if' condition
CWE‑398 Go go/duplicate-switch-case Duplicate switch case
CWE‑398 Go go/useless-expression Expression has no effect
CWE‑398 Go go/redundant-operation Identical operands
CWE‑398 Go go/redundant-assignment Self assignment
CWE‑398 Go go/unreachable-statement Unreachable statement
CWE‑398 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑398 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑398 Java java/dead-class Dead class
CWE‑398 Java java/dead-enum-constant Dead enum constant
CWE‑398 Java java/dead-field Dead field
CWE‑398 Java java/dead-function Dead method
CWE‑398 Java java/lines-of-dead-code Lines of dead code in files
CWE‑398 Java java/unused-parameter Useless parameter
CWE‑398 Java java/useless-null-check Useless null check
CWE‑398 Java java/useless-type-test Useless type test
CWE‑398 Java java/useless-upcast Useless upcast
CWE‑398 Java java/empty-container Container contents are never initialized
CWE‑398 Java java/unused-container Container contents are never accessed
CWE‑398 Java java/constant-comparison Useless comparison test
CWE‑398 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑398 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑398 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑398 Java java/empty-synchronized-block Empty synchronized block
CWE‑398 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑398 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑398 Java java/todo-comment TODO/FIXME comments
CWE‑398 Java java/unused-reference-type Unused classes and interfaces
CWE‑398 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑398 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑398 Java java/local-variable-is-never-read Unread local variable
CWE‑398 Java java/unused-field Unused field
CWE‑398 Java java/unused-label Unused label
CWE‑398 Java java/unused-local-variable Unused local variable
CWE‑398 Java java/switch-fall-through Unterminated switch case
CWE‑398 Java java/redundant-cast Unnecessary cast
CWE‑398 Java java/unused-import Unnecessary import
CWE‑398 JavaScript js/todo-comment TODO comment
CWE‑398 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑398 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑398 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑398 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑398 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑398 JavaScript js/overwritten-property Overwritten property
CWE‑398 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑398 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑398 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑398 JavaScript js/duplicate-property Duplicate property
CWE‑398 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑398 JavaScript js/useless-expression Expression has no effect
CWE‑398 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑398 JavaScript js/redundant-operation Identical operands
CWE‑398 JavaScript js/redundant-assignment Self assignment
CWE‑398 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑398 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑398 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑398 JavaScript js/useless-type-test Useless type test
CWE‑398 JavaScript js/eval-call Use of eval
CWE‑398 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑398 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑398 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑398 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑398 JavaScript js/unreachable-statement Unreachable statement
CWE‑398 JavaScript js/trivial-conditional Useless conditional
CWE‑398 Python py/unreachable-except Unreachable 'except' block
CWE‑398 Python py/comparison-of-constants Comparison of constants
CWE‑398 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑398 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑398 Python py/redundant-comparison Redundant comparison
CWE‑398 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑398 Python py/import-deprecated-module Import of deprecated module
CWE‑398 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑398 Python py/redundant-assignment Redundant assignment
CWE‑398 Python py/ineffectual-statement Statement has no effect
CWE‑398 Python py/unreachable-statement Unreachable code
CWE‑398 Python py/multiple-definition Variable defined multiple times
CWE‑398 Python py/unused-local-variable Unused local variable
CWE‑398 Python py/unused-global-variable Unused global variable
CWE‑398 Ruby rb/useless-assignment-to-local Useless assignment to local variable
CWE‑398 Ruby rb/unused-parameter Unused parameter.
CWE‑400 C++ cpp/catch-missing-free Leaky catch
CWE‑400 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑400 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑400 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑400 C++ cpp/file-never-closed Open file is not closed
CWE‑400 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑400 C++ cpp/memory-never-freed Memory is never freed
CWE‑400 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑400 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑400 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑400 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑400 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑400 C# cs/regex-injection Regular expression injection
CWE‑400 Java java/input-resource-leak Potential input resource leak
CWE‑400 Java java/database-resource-leak Potential database resource leak
CWE‑400 Java java/output-resource-leak Potential output resource leak
CWE‑400 Java java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 Java java/redos Inefficient regular expression
CWE‑400 Java java/regex-injection Regular expression injection
CWE‑400 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑400 Java java/local-thread-resource-abuse Uncontrolled thread resource consumption from local input source
CWE‑400 Java java/thread-resource-abuse Uncontrolled thread resource consumption
CWE‑400 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 JavaScript js/redos Inefficient regular expression
CWE‑400 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑400 JavaScript js/remote-property-injection Remote property injection
CWE‑400 JavaScript js/regex-injection Regular expression injection
CWE‑400 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑400 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑400 JavaScript js/xml-bomb XML internal entity expansion
CWE‑400 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑400 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑400 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑400 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑400 JavaScript js/regex-injection-more-sources Regular expression injection with additional heuristic sources
CWE‑400 JavaScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE‑400 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑400 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑400 Python py/file-not-closed File is not always closed
CWE‑400 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 Python py/redos Inefficient regular expression
CWE‑400 Python py/regex-injection Regular expression injection
CWE‑400 Python py/xml-bomb XML internal entity expansion
CWE‑400 Ruby rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑400 Ruby rb/redos Inefficient regular expression
CWE‑400 Ruby rb/regexp-injection Regular expression injection
CWE‑400 Swift swift/redos Inefficient regular expression
CWE‑400 Swift swift/regex-injection Regular expression injection
CWE‑401 C++ cpp/catch-missing-free Leaky catch
CWE‑401 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑401 C++ cpp/memory-never-freed Memory is never freed
CWE‑401 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑401 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑404 C++ cpp/catch-missing-free Leaky catch
CWE‑404 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑404 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑404 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑404 C++ cpp/file-never-closed Open file is not closed
CWE‑404 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑404 C++ cpp/memory-never-freed Memory is never freed
CWE‑404 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑404 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑404 C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE‑404 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑404 C# cs/member-not-disposed Missing Dispose call
CWE‑404 C# cs/missing-dispose-method Missing Dispose method
CWE‑404 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑404 Java java/missing-super-finalize Finalizer inconsistency
CWE‑404 Java java/input-resource-leak Potential input resource leak
CWE‑404 Java java/database-resource-leak Potential database resource leak
CWE‑404 Java java/output-resource-leak Potential output resource leak
CWE‑404 Java java/empty-finalizer Empty body of finalizer
CWE‑404 Java java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE‑404 Python py/file-not-closed File is not always closed
CWE‑405 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑405 C# cs/insecure-xml-read XML is read insecurely
CWE‑405 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑405 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑405 JavaScript js/xml-bomb XML internal entity expansion
CWE‑405 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑405 Python py/xml-bomb XML internal entity expansion
CWE‑405 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE‑405 Ruby rb/user-controlled-file-decompression User-controlled file decompression
CWE‑405 Ruby rb/xxe XML external entity expansion
CWE‑405 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑409 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑409 C# cs/insecure-xml-read XML is read insecurely
CWE‑409 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑409 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑409 JavaScript js/xml-bomb XML internal entity expansion
CWE‑409 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑409 Python py/xml-bomb XML internal entity expansion
CWE‑409 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE‑409 Ruby rb/user-controlled-file-decompression User-controlled file decompression
CWE‑409 Ruby rb/xxe XML external entity expansion
CWE‑409 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑413 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑415 C++ cpp/double-free Potential double free
CWE‑415 C++ cpp/experimental-double-free Errors When Double Free
CWE‑415 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑416 C++ cpp/use-after-free Potential use after free
CWE‑420 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑421 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑428 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑434 C# cs/web/file-upload Use of file upload
CWE‑434 JavaScript js/http-to-file-access Network data written to file
CWE‑434 Ruby rb/http-to-file-access Network data written to file
CWE‑435 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑435 JavaScript js/insecure-http-parser Insecure http parser
CWE‑436 JavaScript js/insecure-http-parser Insecure http parser
CWE‑441 C# cs/request-forgery Server-side request forgery
CWE‑441 Go go/request-forgery Uncontrolled data used in network request
CWE‑441 Go go/ssrf Uncontrolled data used in network request
CWE‑441 Java java/android/unsafe-content-uri-resolution Uncontrolled data used in content resolution
CWE‑441 Java java/ssrf Server-side request forgery
CWE‑441 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑441 JavaScript js/request-forgery Server-side request forgery
CWE‑441 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑441 Python py/full-ssrf Full server-side request forgery
CWE‑441 Python py/partial-ssrf Partial server-side request forgery
CWE‑441 Ruby rb/request-forgery Server-side request forgery
CWE‑444 JavaScript js/insecure-http-parser Insecure http parser
CWE‑451 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑451 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑456 C++ cpp/initialization-not-run Initialization code not run
CWE‑457 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑457 C++ cpp/not-initialised Variable not initialized before use
CWE‑457 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑457 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑457 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑457 Java java/unassigned-field Field is never assigned a non-null value
CWE‑459 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑459 C# cs/member-not-disposed Missing Dispose call
CWE‑459 C# cs/missing-dispose-method Missing Dispose method
CWE‑459 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑459 Java java/missing-super-finalize Finalizer inconsistency
CWE‑459 Java java/empty-finalizer Empty body of finalizer
CWE‑460 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑460 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑467 C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE‑468 C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE‑468 C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE‑468 C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE‑468 C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE‑470 Java java/android/fragment-injection Android fragment injection
CWE‑470 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑470 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑471 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑471 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑471 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑471 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑471 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑472 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑476 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑476 C++ cpp/missing-null-test Returned pointer not checked
CWE‑476 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑476 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑476 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑476 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑476 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑476 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑476 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑476 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑476 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑476 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑476 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑477 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑477 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑477 Python py/import-deprecated-module Import of deprecated module
CWE‑478 C++ cpp/missing-case-in-switch Missing enum case in switch
CWE‑478 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑478 Java java/missing-default-in-switch Missing default case in switch
CWE‑478 Java java/missing-case-in-switch Missing enum case in switch
CWE‑480 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑480 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑480 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑480 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑480 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑480 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑480 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑480 Go go/useless-expression Expression has no effect
CWE‑480 Go go/redundant-operation Identical operands
CWE‑480 Go go/redundant-assignment Self assignment
CWE‑480 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑480 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑480 JavaScript js/useless-expression Expression has no effect
CWE‑480 JavaScript js/redundant-operation Identical operands
CWE‑480 JavaScript js/redundant-assignment Self assignment
CWE‑480 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑481 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑481 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑482 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑483 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑483 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑484 Java java/switch-fall-through Unterminated switch case
CWE‑485 C# cs/class-name-comparison Erroneous class compare
CWE‑485 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE‑485 C# cs/expose-implementation Exposing internal representation
CWE‑485 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑485 Java java/missing-call-to-super-clone Missing super clone
CWE‑485 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑485 Java java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE‑485 Java java/android/webview-debugging-enabled Android Webview debugging enabled
CWE‑485 Java java/trust-boundary-violation Trust boundary violation
CWE‑485 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑485 Java java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE‑485 Java java/internal-representation-exposure Exposing internal representation
CWE‑485 Java java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE‑485 Java java/main-method-in-web-components Main Method in Java EE Web Components
CWE‑485 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑485 JavaScript js/alert-call Invocation of alert
CWE‑485 JavaScript js/debugger-statement Use of debugger statement
CWE‑485 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑485 Python py/flask-debug Flask app is run in debug mode
CWE‑485 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑485 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑486 C# cs/class-name-comparison Erroneous class compare
CWE‑489 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑489 Java java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE‑489 Java java/android/webview-debugging-enabled Android Webview debugging enabled
CWE‑489 Java java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE‑489 Java java/main-method-in-web-components Main Method in Java EE Web Components
CWE‑489 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑489 JavaScript js/alert-call Invocation of alert
CWE‑489 JavaScript js/debugger-statement Use of debugger statement
CWE‑489 Python py/flask-debug Flask app is run in debug mode
CWE‑494 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑494 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑494 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑494 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑497 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑497 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑497 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑497 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑497 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑497 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑497 Python py/stack-trace-exposure Information exposure through an exception
CWE‑497 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE‑499 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑501 Java java/trust-boundary-violation Trust boundary violation
CWE‑502 C# cs/deserialized-delegate Deserialized delegate
CWE‑502 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑502 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑502 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑502 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑502 Java java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE‑502 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑502 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑502 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑502 JavaScript js/unsafe-deserialization-more-sources Deserialization of user-controlled data with additional heuristic sources
CWE‑502 Python py/unsafe-deserialization Deserialization of user-controlled data
CWE‑502 Ruby rb/unsafe-deserialization Deserialization of user-controlled data
CWE‑506 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑506 Ruby rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑521 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑521 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑522 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑522 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑522 C# cs/password-in-configuration Password in configuration file
CWE‑522 Java java/insecure-basic-auth Insecure basic authentication
CWE‑522 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑522 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑522 Java java/password-in-configuration Password in configuration file
CWE‑522 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑522 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑522 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑523 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑524 Java java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE‑532 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑532 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑532 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑532 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑532 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑532 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑532 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑538 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑538 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑538 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑538 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑538 Java java/server-directory-listing Directories and files exposure
CWE‑538 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑538 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑538 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑538 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑538 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑538 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑539 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑543 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑546 C++ cpp/fixme-comment FIXME comment
CWE‑546 C++ cpp/todo-comment TODO comment
CWE‑546 C# cs/todo-comment TODO comment
CWE‑546 Java java/todo-comment TODO/FIXME comments
CWE‑546 JavaScript js/todo-comment TODO comment
CWE‑548 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑548 Java java/server-directory-listing Directories and files exposure
CWE‑548 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑552 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑552 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑552 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑552 Java java/server-directory-listing Directories and files exposure
CWE‑552 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑552 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑552 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑552 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑552 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑552 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑555 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑555 Java java/password-in-configuration Password in configuration file
CWE‑560 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑561 C++ cpp/unused-static-function Unused static function
CWE‑561 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑561 C++ cpp/dead-code-function Function is never called
CWE‑561 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑561 C++ cpp/useless-expression Expression has no effect
CWE‑561 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑561 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑561 C# cs/unused-reftype Dead reference types
CWE‑561 C# cs/unused-field Unused field
CWE‑561 C# cs/unused-method Unused method
CWE‑561 C# cs/useless-cast-to-self Cast to same type
CWE‑561 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑561 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑561 C# cs/useless-type-test Useless type test
CWE‑561 C# cs/useless-upcast Useless upcast
CWE‑561 C# cs/empty-collection Container contents are never initialized
CWE‑561 C# cs/unused-collection Container contents are never accessed
CWE‑561 C# cs/linq/useless-select Redundant Select
CWE‑561 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑561 Go go/duplicate-branches Duplicate 'if' branches
CWE‑561 Go go/duplicate-condition Duplicate 'if' condition
CWE‑561 Go go/duplicate-switch-case Duplicate switch case
CWE‑561 Go go/useless-expression Expression has no effect
CWE‑561 Go go/redundant-operation Identical operands
CWE‑561 Go go/redundant-assignment Self assignment
CWE‑561 Go go/unreachable-statement Unreachable statement
CWE‑561 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑561 Java java/dead-class Dead class
CWE‑561 Java java/dead-enum-constant Dead enum constant
CWE‑561 Java java/dead-field Dead field
CWE‑561 Java java/dead-function Dead method
CWE‑561 Java java/lines-of-dead-code Lines of dead code in files
CWE‑561 Java java/unused-parameter Useless parameter
CWE‑561 Java java/useless-null-check Useless null check
CWE‑561 Java java/useless-type-test Useless type test
CWE‑561 Java java/useless-upcast Useless upcast
CWE‑561 Java java/empty-container Container contents are never initialized
CWE‑561 Java java/unused-container Container contents are never accessed
CWE‑561 Java java/constant-comparison Useless comparison test
CWE‑561 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑561 Java java/unused-reference-type Unused classes and interfaces
CWE‑561 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑561 Java java/local-variable-is-never-read Unread local variable
CWE‑561 Java java/unused-field Unused field
CWE‑561 Java java/unused-label Unused label
CWE‑561 Java java/redundant-cast Unnecessary cast
CWE‑561 Java java/unused-import Unnecessary import
CWE‑561 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑561 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑561 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑561 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑561 JavaScript js/useless-expression Expression has no effect
CWE‑561 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑561 JavaScript js/redundant-operation Identical operands
CWE‑561 JavaScript js/redundant-assignment Self assignment
CWE‑561 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑561 JavaScript js/useless-type-test Useless type test
CWE‑561 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑561 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑561 JavaScript js/unreachable-statement Unreachable statement
CWE‑561 JavaScript js/trivial-conditional Useless conditional
CWE‑561 Python py/unreachable-except Unreachable 'except' block
CWE‑561 Python py/comparison-of-constants Comparison of constants
CWE‑561 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑561 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑561 Python py/redundant-comparison Redundant comparison
CWE‑561 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑561 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑561 Python py/ineffectual-statement Statement has no effect
CWE‑561 Python py/unreachable-statement Unreachable code
CWE‑563 C++ cpp/unused-local-variable Unused local variable
CWE‑563 C++ cpp/unused-static-variable Unused static variable
CWE‑563 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑563 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑563 Go go/useless-assignment-to-field Useless assignment to field
CWE‑563 Go go/useless-assignment-to-local Useless assignment to local variable
CWE‑563 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑563 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑563 Java java/unused-local-variable Unused local variable
CWE‑563 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑563 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑563 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑563 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑563 JavaScript js/overwritten-property Overwritten property
CWE‑563 JavaScript js/duplicate-property Duplicate property
CWE‑563 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑563 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑563 Python py/redundant-assignment Redundant assignment
CWE‑563 Python py/multiple-definition Variable defined multiple times
CWE‑563 Python py/unused-local-variable Unused local variable
CWE‑563 Python py/unused-global-variable Unused global variable
CWE‑563 Ruby rb/useless-assignment-to-local Useless assignment to local variable
CWE‑563 Ruby rb/unused-parameter Unused parameter.
CWE‑564 Java java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE‑564 Java java/sql-injection Query built from user-controlled sources
CWE‑564 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑567 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑568 Java java/missing-super-finalize Finalizer inconsistency
CWE‑568 Java java/empty-finalizer Empty body of finalizer
CWE‑570 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑570 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑570 Java java/constant-comparison Useless comparison test
CWE‑570 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑570 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑570 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑570 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑570 JavaScript js/useless-type-test Useless type test
CWE‑570 JavaScript js/trivial-conditional Useless conditional
CWE‑570 Python py/comparison-of-constants Comparison of constants
CWE‑570 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑570 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑570 Python py/redundant-comparison Redundant comparison
CWE‑570 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑571 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑571 Java java/constant-comparison Useless comparison test
CWE‑571 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑571 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑571 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑571 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑571 JavaScript js/useless-type-test Useless type test
CWE‑571 JavaScript js/trivial-conditional Useless conditional
CWE‑571 Python py/comparison-of-constants Comparison of constants
CWE‑571 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑571 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑571 Python py/redundant-comparison Redundant comparison
CWE‑571 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑572 Java java/call-to-thread-run Direct call to a run() method
CWE‑573 C++ cpp/double-free Potential double free
CWE‑573 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑573 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑573 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑573 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑573 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑573 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑573 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑573 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑573 C++ cpp/twice-locked Mutex locked twice
CWE‑573 C++ cpp/unreleased-lock Lock may not be released
CWE‑573 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑573 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑573 C++ cpp/experimental-double-free Errors When Double Free
CWE‑573 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑573 C++ cpp/double-release Errors When Double Release
CWE‑573 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑573 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑573 Java java/ejb/container-interference EJB interferes with container operation
CWE‑573 Java java/ejb/file-io EJB uses file input/output
CWE‑573 Java java/ejb/graphics EJB uses graphics
CWE‑573 Java java/ejb/native-code EJB uses native code
CWE‑573 Java java/ejb/reflection EJB uses reflection
CWE‑573 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑573 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑573 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑573 Java java/ejb/server-socket EJB uses server socket
CWE‑573 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑573 Java java/ejb/synchronization EJB uses synchronization
CWE‑573 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑573 Java java/ejb/threads EJB uses threads
CWE‑573 Java java/missing-call-to-super-clone Missing super clone
CWE‑573 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑573 Java java/unreleased-lock Unreleased lock
CWE‑573 Java java/missing-super-finalize Finalizer inconsistency
CWE‑573 Java java/missing-format-argument Missing format argument
CWE‑573 Java java/unused-format-argument Unused format argument
CWE‑573 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑573 Java java/empty-finalizer Empty body of finalizer
CWE‑573 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑573 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑573 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑573 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑573 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑573 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑573 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑573 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑573 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE‑574 Java java/ejb/synchronization EJB uses synchronization
CWE‑575 Java java/ejb/graphics EJB uses graphics
CWE‑576 Java java/ejb/file-io EJB uses file input/output
CWE‑577 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑577 Java java/ejb/server-socket EJB uses server socket
CWE‑578 Java java/ejb/container-interference EJB interferes with container operation
CWE‑580 Java java/missing-call-to-super-clone Missing super clone
CWE‑581 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑581 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑581 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑582 C# cs/static-array Array constant vulnerable to change
CWE‑582 Java java/static-array Array constant vulnerable to change
CWE‑584 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑584 JavaScript js/exit-from-finally Jump from finally
CWE‑584 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑585 C# cs/empty-lock-statement Empty lock statement
CWE‑585 Java java/empty-synchronized-block Empty synchronized block
CWE‑592 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑592 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑592 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑592 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑592 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑592 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑592 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑592 JavaScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE‑592 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE‑595 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE‑595 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE‑595 Java java/reference-equality-with-object Reference equality test on java.lang.Object
CWE‑595 Java java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE‑595 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑597 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑598 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑598 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑598 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE‑600 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑601 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑601 Go go/bad-redirect-check Bad redirect check
CWE‑601 Go go/unvalidated-url-redirection Open URL redirect
CWE‑601 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑601 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑601 Java java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE‑601 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑601 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑601 Python py/url-redirection URL redirection from remote source
CWE‑601 Ruby rb/url-redirection URL redirection from remote source
CWE‑609 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑609 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑609 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑609 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑610 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑610 C++ cpp/external-entity-expansion XML external entity expansion
CWE‑610 C# cs/path-injection Uncontrolled data used in path expression
CWE‑610 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑610 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑610 C# cs/insecure-xml-read XML is read insecurely
CWE‑610 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑610 C# cs/request-forgery Server-side request forgery
CWE‑610 Go go/path-injection Uncontrolled data used in path expression
CWE‑610 Go go/bad-redirect-check Bad redirect check
CWE‑610 Go go/unvalidated-url-redirection Open URL redirect
CWE‑610 Go go/request-forgery Uncontrolled data used in network request
CWE‑610 Go go/ssrf Uncontrolled data used in network request
CWE‑610 Java java/path-injection Uncontrolled data used in path expression
CWE‑610 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑610 Java java/android/unsafe-content-uri-resolution Uncontrolled data used in content resolution
CWE‑610 Java java/android/fragment-injection Android fragment injection
CWE‑610 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑610 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑610 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑610 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑610 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑610 Java java/ssrf Server-side request forgery
CWE‑610 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑610 Java java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE‑610 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑610 JavaScript js/template-object-injection Template Object Injection
CWE‑610 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑610 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑610 JavaScript js/xxe XML external entity expansion
CWE‑610 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑610 JavaScript js/request-forgery Server-side request forgery
CWE‑610 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑610 JavaScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE‑610 Python py/path-injection Uncontrolled data used in path expression
CWE‑610 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑610 Python py/url-redirection URL redirection from remote source
CWE‑610 Python py/xxe XML external entity expansion
CWE‑610 Python py/full-ssrf Full server-side request forgery
CWE‑610 Python py/partial-ssrf Partial server-side request forgery
CWE‑610 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑610 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑610 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑610 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑610 Ruby rb/url-redirection URL redirection from remote source
CWE‑610 Ruby rb/xxe XML external entity expansion
CWE‑610 Ruby rb/request-forgery Server-side request forgery
CWE‑610 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑610 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑611 C++ cpp/external-entity-expansion XML external entity expansion
CWE‑611 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑611 C# cs/insecure-xml-read XML is read insecurely
CWE‑611 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑611 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑611 JavaScript js/xxe XML external entity expansion
CWE‑611 JavaScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE‑611 Python py/xxe XML external entity expansion
CWE‑611 Ruby rb/xxe XML external entity expansion
CWE‑611 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑614 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑614 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑614 Java java/insecure-cookie Failure to use secure cookies
CWE‑614 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑614 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE‑614 Python py/insecure-cookie Failure to use secure cookies
CWE‑625 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑628 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑628 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑628 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑628 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑628 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑628 Java java/missing-format-argument Missing format argument
CWE‑628 Java java/unused-format-argument Unused format argument
CWE‑628 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑628 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑628 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑628 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑628 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑628 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑628 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑639 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑639 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑640 Go go/email-injection Email content injection
CWE‑640 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑642 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑642 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑642 C# cs/path-injection Uncontrolled data used in path expression
CWE‑642 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑642 Go go/path-injection Uncontrolled data used in path expression
CWE‑642 Java java/path-injection Uncontrolled data used in path expression
CWE‑642 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑642 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑642 JavaScript js/template-object-injection Template Object Injection
CWE‑642 Python py/path-injection Uncontrolled data used in path expression
CWE‑642 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑642 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑642 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑642 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑642 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑642 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑643 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑643 C# cs/xml/xpath-injection XPath injection
CWE‑643 Go go/xml/xpath-injection XPath injection
CWE‑643 Java java/xml/xpath-injection XPath injection
CWE‑643 JavaScript js/xpath-injection XPath injection
CWE‑643 JavaScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE‑643 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑643 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑643 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE‑652 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑657 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑657 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑657 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑657 Go go/hardcoded-credentials Hard-coded credentials
CWE‑657 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑657 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑657 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑657 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑657 Java java/hardcoded-password-field Hard-coded password field
CWE‑657 JavaScript js/remote-property-injection Remote property injection
CWE‑657 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑657 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑657 Python py/hardcoded-credentials Hard-coded credentials
CWE‑657 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑657 Swift swift/constant-password Constant password
CWE‑657 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑662 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑662 C++ cpp/twice-locked Mutex locked twice
CWE‑662 C++ cpp/unreleased-lock Lock may not be released
CWE‑662 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑662 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑662 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑662 C# cs/locked-wait A lock is held during a wait
CWE‑662 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑662 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑662 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑662 Java java/ejb/synchronization EJB uses synchronization
CWE‑662 Java java/wait-on-condition-interface Wait on condition
CWE‑662 Java java/call-to-thread-run Direct call to a run() method
CWE‑662 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑662 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑662 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑662 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑662 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑662 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑662 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑662 Java java/sleep-with-lock-held Sleep with lock held
CWE‑662 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑662 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑662 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑662 Java java/unreleased-lock Unreleased lock
CWE‑662 Java java/wait-with-two-locks Wait with two locks held
CWE‑662 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑664 C++ cpp/catch-missing-free Leaky catch
CWE‑664 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑664 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑664 C++ cpp/double-free Potential double free
CWE‑664 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑664 C++ cpp/file-never-closed Open file is not closed
CWE‑664 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑664 C++ cpp/initialization-not-run Initialization code not run
CWE‑664 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑664 C++ cpp/memory-never-freed Memory is never freed
CWE‑664 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑664 C++ cpp/not-initialised Variable not initialized before use
CWE‑664 C++ cpp/use-after-free Potential use after free
CWE‑664 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑664 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑664 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑664 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑664 C++ cpp/improper-null-termination Potential improper null termination
CWE‑664 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑664 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑664 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑664 C++ cpp/self-assignment-check Self assignment check
CWE‑664 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑664 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑664 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑664 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑664 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑664 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑664 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑664 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑664 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑664 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑664 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑664 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑664 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑664 C++ cpp/external-entity-expansion XML external entity expansion
CWE‑664 C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE‑664 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑664 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑664 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑664 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑664 C++ cpp/twice-locked Mutex locked twice
CWE‑664 C++ cpp/unreleased-lock Lock may not be released
CWE‑664 C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE‑664 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑664 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑664 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑664 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑664 C++ cpp/private-cleartext-write Exposure of private information
CWE‑664 C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE‑664 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑664 C++ cpp/experimental-double-free Errors When Double Free
CWE‑664 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑664 C++ cpp/double-release Errors When Double Release
CWE‑664 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑664 C++ cpp/resource-not-released-in-destructor Resource not released in destructor
CWE‑664 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑664 C# cs/member-not-disposed Missing Dispose call
CWE‑664 C# cs/missing-dispose-method Missing Dispose method
CWE‑664 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑664 C# cs/class-name-comparison Erroneous class compare
CWE‑664 C# cs/cast-from-abstract-to-concrete-collection Cast from abstract to concrete collection
CWE‑664 C# cs/expose-implementation Exposing internal representation
CWE‑664 C# cs/static-array Array constant vulnerable to change
CWE‑664 C# cs/web/debug-code ASP.NET: leftover debug code
CWE‑664 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑664 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑664 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑664 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑664 C# cs/locked-wait A lock is held during a wait
CWE‑664 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑664 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑664 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑664 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑664 C# cs/password-in-configuration Password in configuration file
CWE‑664 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑664 C# cs/web/file-upload Use of file upload
CWE‑664 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑664 C# cs/loss-of-precision Possible loss of precision
CWE‑664 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑664 C# cs/path-injection Uncontrolled data used in path expression
CWE‑664 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑664 C# cs/code-injection Improper control of generation of code
CWE‑664 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑664 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑664 C# cs/web/missing-function-level-access-control Missing function level access control
CWE‑664 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑664 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑664 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑664 C# cs/session-reuse Failure to abandon session
CWE‑664 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑664 C# cs/deserialized-delegate Deserialized delegate
CWE‑664 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑664 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑664 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑664 C# cs/web/unvalidated-url-redirection URL redirection from remote source
CWE‑664 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑664 C# cs/insecure-xml-read XML is read insecurely
CWE‑664 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑664 C# cs/regex-injection Regular expression injection
CWE‑664 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑664 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑664 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑664 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑664 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑664 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑664 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑664 C# cs/request-forgery Server-side request forgery
CWE‑664 Go go/shift-out-of-range Shift out of range
CWE‑664 Go go/path-injection Uncontrolled data used in path expression
CWE‑664 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑664 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑664 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑664 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑664 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑664 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑664 Go go/bad-redirect-check Bad redirect check
CWE‑664 Go go/unvalidated-url-redirection Open URL redirect
CWE‑664 Go go/email-injection Email content injection
CWE‑664 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑664 Go go/hardcoded-credentials Hard-coded credentials
CWE‑664 Go go/request-forgery Uncontrolled data used in network request
CWE‑664 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE‑664 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑664 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑664 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑664 Go go/ssrf Uncontrolled data used in network request
CWE‑664 Go go/cors-misconfiguration CORS misconfiguration
CWE‑664 Java java/ejb/synchronization EJB uses synchronization
CWE‑664 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑664 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑664 Java java/missing-call-to-super-clone Missing super clone
CWE‑664 Java java/wait-on-condition-interface Wait on condition
CWE‑664 Java java/call-to-thread-run Direct call to a run() method
CWE‑664 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑664 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑664 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑664 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑664 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑664 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑664 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑664 Java java/sleep-with-lock-held Sleep with lock held
CWE‑664 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑664 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑664 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑664 Java java/unreleased-lock Unreleased lock
CWE‑664 Java java/wait-with-two-locks Wait with two locks held
CWE‑664 Java java/missing-super-finalize Finalizer inconsistency
CWE‑664 Java java/input-resource-leak Potential input resource leak
CWE‑664 Java java/database-resource-leak Potential database resource leak
CWE‑664 Java java/output-resource-leak Potential output resource leak
CWE‑664 Java java/impossible-array-cast Impossible array cast
CWE‑664 Java java/path-injection Uncontrolled data used in path expression
CWE‑664 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑664 Java java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑664 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑664 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑664 Java java/android/arbitrary-apk-installation Android APK installation
CWE‑664 Java java/groovy-injection Groovy Language injection
CWE‑664 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑664 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑664 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑664 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑664 Java java/server-side-template-injection Server-side template injection
CWE‑664 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑664 Java java/android/websettings-allow-content-access Android WebView settings allows access to content links
CWE‑664 Java java/android/websettings-file-access Android WebSettings file access
CWE‑664 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑664 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑664 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑664 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑664 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑664 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑664 Java java/android/backup-enabled Application backup allowed
CWE‑664 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑664 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑664 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑664 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑664 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑664 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑664 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑664 Java java/android/unsafe-content-uri-resolution Uncontrolled data used in content resolution
CWE‑664 Java java/android/fragment-injection Android fragment injection
CWE‑664 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑664 Java java/android/debuggable-attribute-enabled Android debuggable attribute enabled
CWE‑664 Java java/android/webview-debugging-enabled Android Webview debugging enabled
CWE‑664 Java java/trust-boundary-violation Trust boundary violation
CWE‑664 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 Java java/insecure-basic-auth Insecure basic authentication
CWE‑664 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑664 Java java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE‑664 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑664 Java java/unvalidated-url-redirection URL redirection from remote source
CWE‑664 Java java/unvalidated-url-redirection-local URL redirection from local source
CWE‑664 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑664 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑664 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑664 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑664 Java java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 Java java/redos Inefficient regular expression
CWE‑664 Java java/regex-injection Regular expression injection
CWE‑664 Java java/world-writable-file-read Reading from a world writable file
CWE‑664 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑664 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑664 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑664 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑664 Java java/hardcoded-password-field Hard-coded password field
CWE‑664 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑664 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑664 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑664 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑664 Java java/ssrf Server-side request forgery
CWE‑664 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑664 Java java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE‑664 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑664 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑664 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑664 Java java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE‑664 Java java/android/intent-redirection Android Intent redirection
CWE‑664 Java java/empty-finalizer Empty body of finalizer
CWE‑664 Java java/unassigned-field Field is never assigned a non-null value
CWE‑664 Java java/overly-general-catch Overly-general catch clause
CWE‑664 Java java/abstract-to-concrete-cast Cast from abstract to concrete collection
CWE‑664 Java java/internal-representation-exposure Exposing internal representation
CWE‑664 Java java/static-array Array constant vulnerable to change
CWE‑664 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑664 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑664 Java java/beanshell-injection BeanShell injection
CWE‑664 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑664 Java java/jshell-injection JShell injection
CWE‑664 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑664 Java java/jython-injection Injection in Jython
CWE‑664 Java java/unsafe-eval Injection in Java Script Engine
CWE‑664 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑664 Java java/spring-view-manipulation Spring View Manipulation
CWE‑664 Java java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE‑664 Java java/sensitive-android-file-leak Leaking sensitive Android file
CWE‑664 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑664 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑664 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑664 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑664 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑664 Java java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE‑664 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑664 Java java/local-thread-resource-abuse Uncontrolled thread resource consumption from local input source
CWE‑664 Java java/thread-resource-abuse Uncontrolled thread resource consumption
CWE‑664 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑664 Java java/main-method-in-enterprise-bean Main Method in Enterprise Java Bean
CWE‑664 Java java/main-method-in-web-components Main Method in Java EE Web Components
CWE‑664 Java java/struts-development-mode Apache Struts development mode enabled
CWE‑664 Java java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE‑664 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑664 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑664 Java java/server-directory-listing Directories and files exposure
CWE‑664 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑664 Java java/password-in-configuration Password in configuration file
CWE‑664 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑664 Java java/spring-unvalidated-url-redirection Spring url redirection from remote source
CWE‑664 Java java/insecure-rmi-jmx-server-initialization InsecureRmiJmxAuthenticationEnvironment
CWE‑664 Java java/incorrect-url-verification Incorrect URL verification
CWE‑664 JavaScript js/alert-call Invocation of alert
CWE‑664 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑664 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑664 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑664 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑664 JavaScript js/shift-out-of-range Shift out of range
CWE‑664 JavaScript js/debugger-statement Use of debugger statement
CWE‑664 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑664 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑664 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 JavaScript js/redos Inefficient regular expression
CWE‑664 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑664 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑664 JavaScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑664 JavaScript js/template-object-injection Template Object Injection
CWE‑664 JavaScript js/code-injection Code injection
CWE‑664 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑664 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑664 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑664 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑664 JavaScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE‑664 JavaScript js/file-access-to-http File data in outbound network request
CWE‑664 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑664 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑664 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑664 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑664 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑664 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑664 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑664 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑664 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑664 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑664 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑664 JavaScript js/session-fixation Failure to abandon session
CWE‑664 JavaScript js/resource-exhaustion-from-deep-object-traversal Resources exhaustion from deep object traversal
CWE‑664 JavaScript js/remote-property-injection Remote property injection
CWE‑664 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑664 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑664 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑664 JavaScript js/server-side-unvalidated-url-redirection Server-side URL redirect
CWE‑664 JavaScript js/xxe XML external entity expansion
CWE‑664 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑664 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑664 JavaScript js/regex-injection Regular expression injection
CWE‑664 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑664 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑664 JavaScript js/xml-bomb XML internal entity expansion
CWE‑664 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑664 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑664 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑664 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑664 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑664 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑664 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑664 JavaScript js/http-to-file-access Network data written to file
CWE‑664 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑664 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑664 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑664 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑664 JavaScript js/request-forgery Server-side request forgery
CWE‑664 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑664 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑664 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑664 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑664 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑664 JavaScript js/unsafe-deserialization-more-sources Deserialization of user-controlled data with additional heuristic sources
CWE‑664 JavaScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE‑664 JavaScript js/regex-injection-more-sources Regular expression injection with additional heuristic sources
CWE‑664 JavaScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE‑664 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑664 JavaScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE‑664 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑664 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑664 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE‑664 Python py/file-not-closed File is not always closed
CWE‑664 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE‑664 Python py/path-injection Uncontrolled data used in path expression
CWE‑664 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑664 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑664 Python py/code-injection Code injection
CWE‑664 Python py/stack-trace-exposure Information exposure through an exception
CWE‑664 Python py/flask-debug Flask app is run in debug mode
CWE‑664 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑664 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑664 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑664 Python py/insecure-temporary-file Insecure temporary file
CWE‑664 Python py/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 Python py/url-redirection URL redirection from remote source
CWE‑664 Python py/xxe XML external entity expansion
CWE‑664 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 Python py/redos Inefficient regular expression
CWE‑664 Python py/regex-injection Regular expression injection
CWE‑664 Python py/overly-permissive-file Overly permissive file permissions
CWE‑664 Python py/xml-bomb XML internal entity expansion
CWE‑664 Python py/hardcoded-credentials Hard-coded credentials
CWE‑664 Python py/full-ssrf Full server-side request forgery
CWE‑664 Python py/partial-ssrf Partial server-side request forgery
CWE‑664 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑664 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE‑664 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE‑664 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE‑664 Python py/timing-attack-against-hash Timing attack against Hash
CWE‑664 Python py/timing-attack-against-header-value Timing attack against header value
CWE‑664 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE‑664 Python py/timing-attack-sensitive-info Timing attack against secret
CWE‑664 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE‑664 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑664 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑664 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE‑664 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑664 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE‑664 Ruby rb/user-controlled-file-decompression User-controlled file decompression
CWE‑664 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE‑664 Ruby rb/server-side-template-injection Server-side template injection
CWE‑664 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑664 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑664 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑664 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑664 Ruby rb/code-injection Code injection
CWE‑664 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑664 Ruby rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑664 Ruby rb/redos Inefficient regular expression
CWE‑664 Ruby rb/regexp-injection Regular expression injection
CWE‑664 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE‑664 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑664 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑664 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑664 Ruby rb/unsafe-deserialization Deserialization of user-controlled data
CWE‑664 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE‑664 Ruby rb/url-redirection URL redirection from remote source
CWE‑664 Ruby rb/xxe XML external entity expansion
CWE‑664 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE‑664 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE‑664 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑664 Ruby rb/insecure-download Download of sensitive file through insecure connection
CWE‑664 Ruby rb/http-to-file-access Network data written to file
CWE‑664 Ruby rb/request-forgery Server-side request forgery
CWE‑664 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑664 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑664 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑664 Swift swift/redos Inefficient regular expression
CWE‑664 Swift swift/constant-password Constant password
CWE‑664 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE‑664 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑664 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE‑664 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑664 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑664 Swift swift/regex-injection Regular expression injection
CWE‑665 C++ cpp/global-use-before-init Global variable may be used before initialization
CWE‑665 C++ cpp/initialization-not-run Initialization code not run
CWE‑665 C++ cpp/not-initialised Variable not initialized before use
CWE‑665 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑665 C++ cpp/improper-null-termination Potential improper null termination
CWE‑665 C++ cpp/uninitialized-local Potentially uninitialized local variable
CWE‑665 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑665 C++ cpp/conditionally-uninitialized-variable Conditionally uninitialized variable
CWE‑665 C# cs/unassigned-field Field is never assigned a non-default value
CWE‑665 Java java/unassigned-field Field is never assigned a non-null value
CWE‑665 Java java/insecure-rmi-jmx-server-initialization InsecureRmiJmxAuthenticationEnvironment
CWE‑665 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑665 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑665 JavaScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE‑665 Python py/implicit-string-concatenation-in-list Implicit string concatenation in a list
CWE‑666 C++ cpp/double-free Potential double free
CWE‑666 C++ cpp/use-after-free Potential use after free
CWE‑666 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑666 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑666 C++ cpp/self-assignment-check Self assignment check
CWE‑666 C++ cpp/experimental-double-free Errors When Double Free
CWE‑666 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑666 C++ cpp/double-release Errors When Double Release
CWE‑667 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑667 C++ cpp/twice-locked Mutex locked twice
CWE‑667 C++ cpp/unreleased-lock Lock may not be released
CWE‑667 C# cs/locked-wait A lock is held during a wait
CWE‑667 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑667 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑667 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑667 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑667 Java java/sleep-with-lock-held Sleep with lock held
CWE‑667 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑667 Java java/unreleased-lock Unreleased lock
CWE‑667 Java java/wait-with-two-locks Wait with two locks held
CWE‑667 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑668 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑668 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑668 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑668 C++ cpp/unsafe-create-process-call NULL application name with an unquoted path in call to CreateProcess
CWE‑668 C++ cpp/system-data-exposure Exposure of system data to an unauthorized control sphere
CWE‑668 C++ cpp/potential-system-data-exposure Potential exposure of sensitive system data to an unauthorized control sphere
CWE‑668 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑668 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑668 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑668 C++ cpp/work-with-file-without-permissions-rights Writing to a file without setting permissions.
CWE‑668 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑668 C++ cpp/private-cleartext-write Exposure of private information
CWE‑668 C++ cpp/insecure-generation-of-filename Insecure generation of filenames.
CWE‑668 C# cs/static-array Array constant vulnerable to change
CWE‑668 C# cs/web/html-hidden-input Use of HTMLInputHidden
CWE‑668 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑668 C# cs/password-in-configuration Password in configuration file
CWE‑668 C# cs/web/debug-binary Creating an ASP.NET debug binary may reveal sensitive information
CWE‑668 C# cs/path-injection Uncontrolled data used in path expression
CWE‑668 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑668 C# cs/sensitive-data-transmission Information exposure through transmitted data
CWE‑668 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑668 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑668 C# cs/exposure-of-sensitive-information Exposure of private information
CWE‑668 C# cs/web/directory-browse-enabled ASP.NET config file enables directory browsing
CWE‑668 C# cs/web/persistent-cookie Cookie security: persistent cookie
CWE‑668 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑668 Go go/path-injection Uncontrolled data used in path expression
CWE‑668 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑668 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑668 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑668 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑668 Go go/timing-attack Timing attacks due to comparison of sensitive secrets
CWE‑668 Go go/cors-misconfiguration CORS misconfiguration
CWE‑668 Java java/path-injection Uncontrolled data used in path expression
CWE‑668 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑668 Java java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑668 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑668 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑668 Java java/android/websettings-allow-content-access Android WebView settings allows access to content links
CWE‑668 Java java/android/websettings-file-access Android WebSettings file access
CWE‑668 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑668 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑668 Java java/insecure-basic-auth Insecure basic authentication
CWE‑668 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑668 Java java/android/sensitive-keyboard-cache Android sensitive keyboard cache
CWE‑668 Java java/sensitive-log Insertion of sensitive information into log files
CWE‑668 Java java/world-writable-file-read Reading from a world writable file
CWE‑668 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑668 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑668 Java java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE‑668 Java java/static-array Array constant vulnerable to change
CWE‑668 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑668 Java java/insecure-webview-resource-response Insecure Android WebView Resource Response
CWE‑668 Java java/sensitive-android-file-leak Leaking sensitive Android file
CWE‑668 Java java/possible-timing-attack-against-signature Possible timing attack against signature validation
CWE‑668 Java java/timing-attack-against-headers-value Timing attack against header value
CWE‑668 Java java/timing-attack-against-signature Timing attack against signature validation
CWE‑668 Java java/server-directory-listing Directories and files exposure
CWE‑668 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑668 Java java/password-in-configuration Password in configuration file
CWE‑668 Java java/sensitive-query-with-get Sensitive GET Query
CWE‑668 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑668 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑668 JavaScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑668 JavaScript js/template-object-injection Template Object Injection
CWE‑668 JavaScript js/file-access-to-http File data in outbound network request
CWE‑668 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑668 JavaScript js/cross-window-information-leak Cross-window communication with unrestricted target origin
CWE‑668 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑668 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑668 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑668 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑668 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑668 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑668 JavaScript js/insecure-temporary-file Insecure temporary file
CWE‑668 JavaScript js/sensitive-get-query Sensitive data read from GET request
CWE‑668 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑668 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑668 Python py/bind-socket-all-network-interfaces Binding a socket to all network interfaces
CWE‑668 Python py/path-injection Uncontrolled data used in path expression
CWE‑668 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑668 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑668 Python py/stack-trace-exposure Information exposure through an exception
CWE‑668 Python py/flask-debug Flask app is run in debug mode
CWE‑668 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑668 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑668 Python py/insecure-temporary-file Insecure temporary file
CWE‑668 Python py/overly-permissive-file Overly permissive file permissions
CWE‑668 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑668 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE‑668 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE‑668 Python py/possible-timing-attack-against-hash Timing attack against Hash
CWE‑668 Python py/timing-attack-against-hash Timing attack against Hash
CWE‑668 Python py/timing-attack-against-header-value Timing attack against header value
CWE‑668 Python py/possible-timing-attack-sensitive-info Timing attack against secret
CWE‑668 Python py/timing-attack-sensitive-info Timing attack against secret
CWE‑668 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑668 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑668 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑668 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑668 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑668 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑668 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE‑668 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑668 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑668 Ruby rb/sensitive-get-query Sensitive data read from GET request
CWE‑668 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE‑668 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE‑668 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑668 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑669 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑669 C# cs/web/file-upload Use of file upload
CWE‑669 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑669 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑669 C# cs/insecure-xml-read XML is read insecurely
CWE‑669 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑669 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑669 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑669 JavaScript js/enabling-electron-insecure-content Enabling Electron allowRunningInsecureContent
CWE‑669 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑669 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑669 JavaScript js/xxe XML external entity expansion
CWE‑669 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑669 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑669 JavaScript js/http-to-file-access Network data written to file
CWE‑669 JavaScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE‑669 Python py/xxe XML external entity expansion
CWE‑669 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑669 Ruby rb/xxe XML external entity expansion
CWE‑669 Ruby rb/insecure-download Download of sensitive file through insecure connection
CWE‑669 Ruby rb/http-to-file-access Network data written to file
CWE‑669 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑670 C++ cpp/comma-before-misleading-indentation Comma before misleading indentation
CWE‑670 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑670 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑670 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑670 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑670 C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE‑670 C++ cpp/dangerous-use-of-ssl-shutdown Dangerous use SSL_shutdown.
CWE‑670 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑670 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑670 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑670 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 Go go/useless-expression Expression has no effect
CWE‑670 Go go/redundant-operation Identical operands
CWE‑670 Go go/redundant-assignment Self assignment
CWE‑670 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑670 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑670 Java java/switch-fall-through Unterminated switch case
CWE‑670 JavaScript js/useless-expression Expression has no effect
CWE‑670 JavaScript js/redundant-operation Identical operands
CWE‑670 JavaScript js/redundant-assignment Self assignment
CWE‑670 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑670 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑670 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑670 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑670 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑670 Python py/asserts-tuple Asserting a tuple
CWE‑671 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑671 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑671 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑671 Go go/hardcoded-credentials Hard-coded credentials
CWE‑671 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑671 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑671 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑671 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑671 Java java/hardcoded-password-field Hard-coded password field
CWE‑671 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑671 Python py/hardcoded-credentials Hard-coded credentials
CWE‑671 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑671 Swift swift/constant-password Constant password
CWE‑671 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑672 C++ cpp/double-free Potential double free
CWE‑672 C++ cpp/use-after-free Potential use after free
CWE‑672 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑672 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑672 C++ cpp/experimental-double-free Errors When Double Free
CWE‑672 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑674 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑674 C# cs/insecure-xml-read XML is read insecurely
CWE‑674 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑674 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑674 JavaScript js/xml-bomb XML internal entity expansion
CWE‑674 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑674 Python py/xml-bomb XML internal entity expansion
CWE‑674 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE‑674 Ruby rb/xxe XML external entity expansion
CWE‑674 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑675 C++ cpp/double-free Potential double free
CWE‑675 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑675 C++ cpp/twice-locked Mutex locked twice
CWE‑675 C++ cpp/unreleased-lock Lock may not be released
CWE‑675 C++ cpp/experimental-double-free Errors When Double Free
CWE‑675 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑675 C++ cpp/double-release Errors When Double Release
CWE‑675 Java java/unreleased-lock Unreleased lock
CWE‑676 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑676 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑676 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑676 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑676 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑676 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑676 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑676 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑676 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑676 JavaScript js/eval-call Use of eval
CWE‑681 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑681 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑681 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑681 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑681 C# cs/loss-of-precision Possible loss of precision
CWE‑681 Go go/shift-out-of-range Shift out of range
CWE‑681 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑681 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑681 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑681 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑681 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑681 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑681 JavaScript js/shift-out-of-range Shift out of range
CWE‑682 C++ cpp/overflow-calculated Buffer not sufficient for string
CWE‑682 C++ cpp/overflow-destination Copy function using source size
CWE‑682 C++ cpp/static-buffer-overflow Static array access may cause overflow
CWE‑682 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑682 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑682 C++ cpp/ambiguously-signed-bit-field Ambiguously signed bit-field member
CWE‑682 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑682 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑682 C++ cpp/signed-overflow-check Signed overflow check
CWE‑682 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑682 C++ cpp/suspicious-sizeof Suspicious 'sizeof' use
CWE‑682 C++ cpp/overrun-write Overrunning write
CWE‑682 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑682 C++ cpp/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑682 C++ cpp/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑682 C++ cpp/arithmetic-with-extreme-values Use of extreme values in arithmetic expression
CWE‑682 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑682 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑682 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑682 C++ cpp/unsigned-difference-expression-compared-zero Unsigned difference expression compared to zero
CWE‑682 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑682 C++ cpp/suspicious-pointer-scaling Suspicious pointer scaling
CWE‑682 C++ cpp/incorrect-pointer-scaling-char Suspicious pointer scaling to char
CWE‑682 C++ cpp/suspicious-pointer-scaling-void Suspicious pointer scaling to void
CWE‑682 C++ cpp/suspicious-add-sizeof Suspicious add with sizeof
CWE‑682 C++ cpp/multiplication-overflow-in-alloc Multiplication result may overflow and be used in allocation
CWE‑682 C++ cpp/dangerous-use-of-transformation-after-operation Dangerous use of transformation after operation.
CWE‑682 C++ cpp/divide-by-zero-using-return-value Divide by zero using return value
CWE‑682 C++ cpp/signed-bit-field Possible signed bit-field member
CWE‑682 C# cs/index-out-of-bounds Off-by-one comparison against container length
CWE‑682 C# cs/loss-of-precision Possible loss of precision
CWE‑682 Go go/index-out-of-bounds Off-by-one comparison against length
CWE‑682 Go go/allocation-size-overflow Size computation for allocation may overflow
CWE‑682 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑682 Go go/divide-by-zero Divide by zero
CWE‑682 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑682 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑682 Java java/index-out-of-bounds Array index out of bounds
CWE‑682 Java java/tainted-arithmetic User-controlled data in arithmetic expression
CWE‑682 Java java/tainted-arithmetic-local Local-user-controlled data in arithmetic expression
CWE‑682 Java java/uncontrolled-arithmetic Uncontrolled data in arithmetic expression
CWE‑682 Java java/extreme-value-arithmetic Use of extreme values in arithmetic expression
CWE‑682 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑682 JavaScript js/index-out-of-bounds Off-by-one comparison against length
CWE‑682 Swift swift/string-length-conflation String length conflation
CWE‑684 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑684 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑685 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑685 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑685 Java java/missing-format-argument Missing format argument
CWE‑685 Java java/unused-format-argument Unused format argument
CWE‑685 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑685 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑685 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑685 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑686 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑687 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑687 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑691 C++ cpp/comma-before-misleading-indentation Comma before misleading indentation
CWE‑691 C++ cpp/assign-where-compare-meant Assignment where comparison was intended
CWE‑691 C++ cpp/compare-where-assign-meant Comparison where assignment was intended
CWE‑691 C++ cpp/incorrect-not-operator-usage Incorrect 'not' operator usage
CWE‑691 C++ cpp/logical-operator-applied-to-flag Short-circuiting operator applied to flag
CWE‑691 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 C++ cpp/unsafe-use-of-this Unsafe use of this in constructor
CWE‑691 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑691 C++ cpp/toctou-race-condition Time-of-check time-of-use filesystem race condition
CWE‑691 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑691 C++ cpp/twice-locked Mutex locked twice
CWE‑691 C++ cpp/unreleased-lock Lock may not be released
CWE‑691 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑691 C++ cpp/linux-kernel-double-fetch-vulnerability Linux kernel double-fetch vulnerability detection
CWE‑691 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑691 C++ cpp/dangerous-use-of-ssl-shutdown Dangerous use SSL_shutdown.
CWE‑691 C++ cpp/errors-after-refactoring Errors After Refactoring
CWE‑691 C++ cpp/errors-when-using-bit-operations Errors When Using Bit Operations
CWE‑691 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑691 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑691 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑691 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑691 C# cs/constant-condition Constant condition
CWE‑691 C# cs/unsafe-sync-on-field Futile synchronization on field
CWE‑691 C# cs/inconsistent-lock-sequence Inconsistent lock sequence
CWE‑691 C# cs/lock-this Locking the 'this' object in a lock statement
CWE‑691 C# cs/locked-wait A lock is held during a wait
CWE‑691 C# cs/unsynchronized-getter Inconsistently synchronized property
CWE‑691 C# cs/unsafe-double-checked-lock Double-checked lock is not thread-safe
CWE‑691 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑691 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑691 C# cs/non-short-circuit Potentially dangerous use of non-short-circuit logic
CWE‑691 C# cs/thread-unsafe-icryptotransform-field-in-class Thread-unsafe use of a static ICryptoTransform field
CWE‑691 C# cs/thread-unsafe-icryptotransform-captured-in-lambda Thread-unsafe capturing of an ICryptoTransform object
CWE‑691 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE‑691 C# cs/code-injection Improper control of generation of code
CWE‑691 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑691 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑691 C# cs/insecure-xml-read XML is read insecurely
CWE‑691 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 Go go/useless-expression Expression has no effect
CWE‑691 Go go/redundant-operation Identical operands
CWE‑691 Go go/redundant-assignment Self assignment
CWE‑691 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑691 Java java/ejb/container-interference EJB interferes with container operation
CWE‑691 Java java/ejb/synchronization EJB uses synchronization
CWE‑691 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 Java java/assignment-in-boolean-expression Assignment in Boolean expression
CWE‑691 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑691 Java java/wait-on-condition-interface Wait on condition
CWE‑691 Java java/call-to-thread-run Direct call to a run() method
CWE‑691 Java java/unsafe-double-checked-locking Double-checked locking is not thread-safe
CWE‑691 Java java/unsafe-double-checked-locking-init-order Race condition in double-checked locking object initialization
CWE‑691 Java java/unsafe-sync-on-field Futile synchronization on field
CWE‑691 Java java/inconsistent-field-synchronization Inconsistent synchronization for field
CWE‑691 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑691 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑691 Java java/notify-instead-of-notify-all notify instead of notifyAll
CWE‑691 Java java/sleep-with-lock-held Sleep with lock held
CWE‑691 Java java/sync-on-boxed-types Synchronization on boxed types or strings
CWE‑691 Java java/unsynchronized-getter Inconsistent synchronization of getter and setter
CWE‑691 Java java/inconsistent-sync-writeobject Inconsistent synchronization for writeObject()
CWE‑691 Java java/unreleased-lock Unreleased lock
CWE‑691 Java java/wait-with-two-locks Wait with two locks held
CWE‑691 Java java/non-short-circuit-evaluation Dangerous non-short-circuit logic
CWE‑691 Java java/constant-loop-condition Constant loop condition
CWE‑691 Java java/android/arbitrary-apk-installation Android APK installation
CWE‑691 Java java/groovy-injection Groovy Language injection
CWE‑691 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑691 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑691 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑691 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑691 Java java/server-side-template-injection Server-side template injection
CWE‑691 Java java/toctou-race-condition Time-of-check time-of-use race condition
CWE‑691 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑691 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑691 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑691 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑691 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑691 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑691 Java java/switch-fall-through Unterminated switch case
CWE‑691 Java java/overly-general-catch Overly-general catch clause
CWE‑691 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑691 Java java/jvm-exit Forcible JVM termination
CWE‑691 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑691 Java java/beanshell-injection BeanShell injection
CWE‑691 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑691 Java java/jshell-injection JShell injection
CWE‑691 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑691 Java java/jython-injection Injection in Jython
CWE‑691 Java java/unsafe-eval Injection in Java Script Engine
CWE‑691 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑691 Java java/spring-view-manipulation Spring View Manipulation
CWE‑691 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑691 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑691 JavaScript js/useless-expression Expression has no effect
CWE‑691 JavaScript js/redundant-operation Identical operands
CWE‑691 JavaScript js/redundant-assignment Self assignment
CWE‑691 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑691 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑691 JavaScript js/deletion-of-non-property Deleting non-property
CWE‑691 JavaScript js/exit-from-finally Jump from finally
CWE‑691 JavaScript js/template-object-injection Template Object Injection
CWE‑691 JavaScript js/code-injection Code injection
CWE‑691 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑691 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑691 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑691 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑691 JavaScript js/file-system-race Potential file system race condition
CWE‑691 JavaScript js/server-crash Server crash
CWE‑691 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑691 JavaScript js/xml-bomb XML internal entity expansion
CWE‑691 JavaScript js/loop-bound-injection Loop bound injection
CWE‑691 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑691 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑691 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑691 JavaScript js/misleading-indentation-of-dangling-else Misleading indentation of dangling 'else'
CWE‑691 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑691 JavaScript js/misleading-indentation-after-control-statement Misleading indentation after control statement
CWE‑691 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑691 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑691 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑691 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑691 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑691 Python py/code-injection Code injection
CWE‑691 Python py/xml-bomb XML internal entity expansion
CWE‑691 Python py/asserts-tuple Asserting a tuple
CWE‑691 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑691 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑691 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE‑691 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑691 Ruby rb/server-side-template-injection Server-side template injection
CWE‑691 Ruby rb/code-injection Code injection
CWE‑691 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑691 Ruby rb/xxe XML external entity expansion
CWE‑691 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑691 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑691 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑693 C++ cpp/boost/tls-settings-misconfiguration Boost_asio TLS Settings Misconfiguration
CWE‑693 C++ cpp/boost/use-of-deprecated-hardcoded-security-protocol boost::asio Use of deprecated hardcoded Protocol
CWE‑693 C++ cpp/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 C++ cpp/count-untrusted-data-external-api-ir Frequency counts for external APIs that are used with untrusted data
CWE‑693 C++ cpp/untrusted-data-to-external-api-ir Untrusted data passed to external API
CWE‑693 C++ cpp/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 C++ cpp/uncontrolled-process-operation Uncontrolled process operation
CWE‑693 C++ cpp/unclear-array-index-validation Unclear validation of array index
CWE‑693 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑693 C++ cpp/user-controlled-bypass Authentication bypass by spoofing
CWE‑693 C++ cpp/certificate-result-conflation Certificate result conflation
CWE‑693 C++ cpp/certificate-not-checked Certificate not checked
CWE‑693 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑693 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑693 C++ cpp/cleartext-transmission Cleartext transmission of sensitive information
CWE‑693 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑693 C++ cpp/non-https-url Failure to use HTTPS URLs
CWE‑693 C++ cpp/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE‑693 C++ cpp/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑693 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑693 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑693 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑693 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑693 C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE‑693 C++ cpp/late-check-of-function-argument Late Check Of Function Argument
CWE‑693 C++ cpp/linux-kernel-no-check-before-unsafe-put-user Linux kernel no check before unsafe_put_user vulnerability detection
CWE‑693 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑693 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑693 C++ cpp/pam-auth-bypass PAM Authorization bypass
CWE‑693 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑693 C# cs/password-in-configuration Password in configuration file
CWE‑693 C# cs/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 C# cs/serialization-check-bypass Serialization check bypass
CWE‑693 C# cs/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 C# cs/xml/missing-validation Missing XML validation
CWE‑693 C# cs/assembly-path-injection Assembly path injection
CWE‑693 C# cs/web/missing-function-level-access-control Missing function level access control
CWE‑693 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑693 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑693 C# cs/adding-cert-to-root-store Do not add certificates to the system root store.
CWE‑693 C# cs/insecure-sql-connection Insecure SQL connection
CWE‑693 C# cs/web/missing-token-validation Missing cross-site request forgery token validation
CWE‑693 C# cs/session-reuse Failure to abandon session
CWE‑693 C# cs/web/requiressl-not-set 'requireSSL' attribute is not set to true
CWE‑693 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑693 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑693 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑693 C# cs/web/broad-cookie-domain Cookie security: overly broad domain
CWE‑693 C# cs/web/broad-cookie-path Cookie security: overly broad path
CWE‑693 C# cs/ecb-encryption Encryption using ECB
CWE‑693 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑693 C# cs/insufficient-key-size Weak encryption: Insufficient key size
CWE‑693 C# cs/weak-encryption Weak encryption
CWE‑693 C# cs/azure-storage/unsafe-usage-of-client-side-encryption-version Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑693 C# cs/web/cookie-secure-not-set 'Secure' attribute is not set to true
CWE‑693 Go go/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Go go/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Go go/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 Go go/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 Go go/suspicious-character-in-regex Suspicious characters in a regular expression
CWE‑693 Go go/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Go go/untrusted-data-to-unknown-external-api Untrusted data passed to unknown external API
CWE‑693 Go go/disabled-certificate-check Disabled TLS certificate check
CWE‑693 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑693 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑693 Go go/weak-crypto-key Use of a weak cryptographic key
CWE‑693 Go go/insecure-tls Insecure TLS configuration
CWE‑693 Go go/constant-oauth2-state Use of constant state value in OAuth 2.0 URL
CWE‑693 Go go/email-injection Email content injection
CWE‑693 Go go/hardcoded-credentials Hard-coded credentials
CWE‑693 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑693 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑693 Go go/weak-crypto-algorithm Use of a weak cryptographic algorithm
CWE‑693 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑693 Go go/cors-misconfiguration CORS misconfiguration
CWE‑693 Java java/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Java java/overly-large-range Overly permissive regular expression range
CWE‑693 Java java/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Java java/improper-validation-of-array-construction Improper validation of user-provided size used for array construction
CWE‑693 Java java/improper-validation-of-array-construction-code-specified Improper validation of code-specified size used for array construction
CWE‑693 Java java/improper-validation-of-array-construction-local Improper validation of local user-provided size used for array construction
CWE‑693 Java java/improper-validation-of-array-index Improper validation of user-provided array index
CWE‑693 Java java/improper-validation-of-array-index-code-specified Improper validation of code-specified array index
CWE‑693 Java java/improper-validation-of-array-index-local Improper validation of local user-provided array index
CWE‑693 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑693 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑693 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑693 Java java/android/missing-certificate-pinning Android missing certificate pinning
CWE‑693 Java java/improper-webview-certificate-validation Android WebView that accepts all certificates
CWE‑693 Java java/insecure-trustmanager TrustManager that accepts all certificates
CWE‑693 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑693 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑693 Java java/android/backup-enabled Application backup allowed
CWE‑693 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑693 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑693 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑693 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑693 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑693 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑693 Java java/non-https-url Failure to use HTTPS URLs
CWE‑693 Java java/non-ssl-connection Failure to use SSL
CWE‑693 Java java/non-ssl-socket-factory Failure to use SSL socket factories
CWE‑693 Java java/insufficient-key-size Use of a cryptographic algorithm with insufficient key size
CWE‑693 Java java/weak-cryptographic-algorithm Use of a broken or risky cryptographic algorithm
CWE‑693 Java java/potentially-weak-cryptographic-algorithm Use of a potentially broken or risky cryptographic algorithm
CWE‑693 Java java/missing-jwt-signature-check Missing JWT signature check
CWE‑693 Java java/spring-disabled-csrf-protection Disabled Spring CSRF protection
CWE‑693 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑693 Java java/insecure-basic-auth Insecure basic authentication
CWE‑693 Java java/insecure-ldap-auth Insecure LDAP authentication
CWE‑693 Java java/insecure-cookie Failure to use secure cookies
CWE‑693 Java java/world-writable-file-read Reading from a world writable file
CWE‑693 Java java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE‑693 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑693 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑693 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑693 Java java/hardcoded-password-field Hard-coded password field
CWE‑693 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑693 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑693 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑693 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑693 Java java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE‑693 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑693 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑693 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑693 Java java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE‑693 Java java/android/intent-redirection Android Intent redirection
CWE‑693 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑693 Java java/jxbrowser/disabled-certificate-validation JxBrowser with disabled certificate validation
CWE‑693 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑693 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑693 Java java/disabled-certificate-revocation-checking Disabled certificate revocation checking
CWE‑693 Java java/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption (CVE-2022-30187).
CWE‑693 Java java/unsafe-tls-version Unsafe TLS version
CWE‑693 Java java/unvalidated-cors-origin-set CORS is derived from untrusted input
CWE‑693 Java java/ip-address-spoofing IP address spoofing
CWE‑693 Java java/jsonp-injection JSONP Injection
CWE‑693 Java java/credentials-in-properties Cleartext Credentials in Properties File
CWE‑693 Java java/password-in-configuration Password in configuration file
CWE‑693 Java java/hash-without-salt Use of a hash function without a salt
CWE‑693 Java java/incorrect-url-verification Incorrect URL verification
CWE‑693 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑693 JavaScript js/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 JavaScript js/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑693 JavaScript js/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 JavaScript js/incorrect-suffix-check Incorrect suffix check
CWE‑693 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑693 JavaScript js/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 JavaScript js/overly-large-range Overly permissive regular expression range
CWE‑693 JavaScript js/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 JavaScript js/useless-regexp-character-escape Useless regular-expression character escape
CWE‑693 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑693 JavaScript js/double-escaping Double escaping or unescaping
CWE‑693 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑693 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑693 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑693 JavaScript js/exposure-of-private-files Exposure of private files
CWE‑693 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑693 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑693 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑693 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑693 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑693 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑693 JavaScript js/insufficient-key-size Use of a weak cryptographic key
CWE‑693 JavaScript js/biased-cryptographic-random Creating biased random numbers from a cryptographically secure source.
CWE‑693 JavaScript js/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑693 JavaScript js/jwt-missing-verification JWT missing secret or public key verification
CWE‑693 JavaScript js/missing-token-validation Missing CSRF middleware
CWE‑693 JavaScript js/session-fixation Failure to abandon session
CWE‑693 JavaScript js/remote-property-injection Remote property injection
CWE‑693 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑693 JavaScript js/host-header-forgery-in-email-generation Host header poisoning in email generation
CWE‑693 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑693 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑693 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑693 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑693 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑693 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑693 JavaScript js/untrusted-data-to-external-api-more-sources Untrusted data passed to external API with additional heuristic sources
CWE‑693 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑693 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑693 JavaScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE‑693 Python py/count-untrusted-data-external-api Frequency counts for external APIs that are used with untrusted data
CWE‑693 Python py/untrusted-data-to-external-api Untrusted data passed to external API
CWE‑693 Python py/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Python py/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 Python py/overly-large-range Overly permissive regular expression range
CWE‑693 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑693 Python py/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑693 Python py/paramiko-missing-host-key-validation Accepting unknown SSH host keys when using Paramiko
CWE‑693 Python py/request-without-cert-validation Request without certificate validation
CWE‑693 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑693 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑693 Python py/weak-crypto-key Use of weak cryptographic key
CWE‑693 Python py/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 Python py/insecure-default-protocol Default version of SSL/TLS may be insecure
CWE‑693 Python py/insecure-protocol Use of insecure SSL/TLS version
CWE‑693 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑693 Python py/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑693 Python py/overly-permissive-file Overly permissive file permissions
CWE‑693 Python py/hardcoded-credentials Hard-coded credentials
CWE‑693 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑693 Python py/flask-constant-secret-key Initializing SECRET_KEY of Flask application with Constant value
CWE‑693 Python py/improper-ldap-auth Improper LDAP Authentication
CWE‑693 Python py/azure-storage/unsafe-client-side-encryption-in-use Unsafe usage of v1 version of Azure Storage client-side encryption.
CWE‑693 Python py/jwt-missing-verification JWT missing secret or public key verification
CWE‑693 Python py/ip-address-spoofing IP address spoofing
CWE‑693 Python py/insecure-ldap-auth Python Insecure LDAP Authentication
CWE‑693 Python py/cookie-injection Construction of a cookie using user-supplied input.
CWE‑693 Python py/insecure-cookie Failure to use secure cookies
CWE‑693 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑693 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE‑693 Ruby rb/improper-ldap-auth Improper LDAP Authentication
CWE‑693 Ruby rb/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Ruby rb/incomplete-url-substring-sanitization Incomplete URL substring sanitization
CWE‑693 Ruby rb/regex/badly-anchored-regexp Badly anchored regular expression
CWE‑693 Ruby rb/regex/missing-regexp-anchor Missing regular expression anchor
CWE‑693 Ruby rb/overly-large-range Overly permissive regular expression range
CWE‑693 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE‑693 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑693 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑693 Ruby rb/request-without-cert-validation Request without certificate validation
CWE‑693 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑693 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑693 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑693 Ruby rb/weak-cryptographic-algorithm Use of a broken or weak cryptographic algorithm
CWE‑693 Ruby rb/csrf-protection-disabled CSRF protection weakened or disabled
CWE‑693 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE‑693 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE‑693 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑693 Swift swift/incomplete-hostname-regexp Incomplete regular expression for hostnames
CWE‑693 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE‑693 Swift swift/constant-password Constant password
CWE‑693 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE‑693 Swift swift/cleartext-transmission Cleartext transmission of sensitive information
CWE‑693 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑693 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE‑693 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑693 Swift swift/ecb-encryption Encryption using ECB
CWE‑693 Swift swift/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑693 Swift swift/insecure-tls Insecure TLS configuration
CWE‑693 Swift swift/constant-salt Use of constant salts
CWE‑693 Swift swift/insufficient-hash-iterations Insufficient hash iterations
CWE‑695 Java java/ejb/file-io EJB uses file input/output
CWE‑695 Java java/ejb/graphics EJB uses graphics
CWE‑695 Java java/ejb/synchronization EJB uses synchronization
CWE‑695 Java java/ejb/threads EJB uses threads
CWE‑696 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑696 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑697 C++ cpp/missing-case-in-switch Missing enum case in switch
CWE‑697 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑697 C# cs/class-name-comparison Erroneous class compare
CWE‑697 C# cs/reference-equality-with-object Reference equality test on System.Object
CWE‑697 C# cs/reference-equality-on-valuetypes Call to ReferenceEquals(...) on value type expressions
CWE‑697 Go go/cors-misconfiguration CORS misconfiguration
CWE‑697 Java java/missing-default-in-switch Missing default case in switch
CWE‑697 Java java/reference-equality-with-object Reference equality test on java.lang.Object
CWE‑697 Java java/reference-equality-of-boxed-types Reference equality test of boxed types
CWE‑697 Java java/reference-equality-on-strings Reference equality test on strings
CWE‑697 Java java/missing-case-in-switch Missing enum case in switch
CWE‑697 JavaScript js/angular/insecure-url-whitelist Insecure URL whitelist
CWE‑697 JavaScript js/incomplete-url-scheme-check Incomplete URL scheme check
CWE‑697 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑697 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑697 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑697 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑697 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE‑697 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE‑703 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑703 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑703 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑703 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑703 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑703 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑703 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑703 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑703 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑703 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑703 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑703 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑703 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑703 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑703 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑703 C# cs/unchecked-return-value Unchecked return value
CWE‑703 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑703 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑703 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑703 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑703 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑703 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑703 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑703 Java java/return-value-ignored Method result ignored
CWE‑703 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑703 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑703 Java java/discarded-exception Discarded exception
CWE‑703 Java java/overly-general-catch Overly-general catch clause
CWE‑703 Java java/ignored-error-status-of-call Ignored error status of call
CWE‑703 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑703 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑703 Java java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE‑703 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑703 JavaScript js/server-crash Server crash
CWE‑703 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑703 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑703 Python py/empty-except Empty except
CWE‑703 Python py/ignored-return-value Ignored return value
CWE‑703 Python py/stack-trace-exposure Information exposure through an exception
CWE‑703 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE‑704 C++ cpp/bad-addition-overflow-check Bad check for overflow of integer addition
CWE‑704 C++ cpp/integer-multiplication-cast-to-long Multiplication result converted to larger type
CWE‑704 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑704 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑704 C++ cpp/integer-overflow-tainted Potential integer arithmetic overflow
CWE‑704 C++ cpp/incorrect-string-type-conversion Cast from char to wchar_t
CWE‑704 C# cs/loss-of-precision Possible loss of precision
CWE‑704 Go go/shift-out-of-range Shift out of range
CWE‑704 Go go/incorrect-integer-conversion Incorrect conversion between integer types
CWE‑704 Java java/implicit-cast-in-compound-assignment Implicit narrowing conversion in compound assignment
CWE‑704 Java java/integer-multiplication-cast-to-long Result of multiplication cast to wider type
CWE‑704 Java java/impossible-array-cast Impossible array cast
CWE‑704 Java java/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑704 Java java/tainted-numeric-cast User-controlled data in numeric cast
CWE‑704 Java java/tainted-numeric-cast-local Local-user-controlled data in numeric cast
CWE‑704 JavaScript js/implicit-operand-conversion Implicit operand conversion
CWE‑704 JavaScript js/shift-out-of-range Shift out of range
CWE‑704 JavaScript js/invalid-prototype-value Invalid prototype value
CWE‑704 JavaScript js/property-assignment-on-primitive Assignment to property of primitive value
CWE‑704 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑705 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑705 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑705 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑705 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑705 Java java/ejb/container-interference EJB interferes with container operation
CWE‑705 Java java/overly-general-catch Overly-general catch clause
CWE‑705 Java java/uncaught-number-format-exception Missing catch of NumberFormatException
CWE‑705 Java java/jvm-exit Forcible JVM termination
CWE‑705 Java java/abnormal-finally-completion Finally block may not complete normally
CWE‑705 Java java/uncaught-servlet-exception Uncaught Servlet Exception
CWE‑705 JavaScript js/exit-from-finally Jump from finally
CWE‑705 JavaScript js/server-crash Server crash
CWE‑705 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑705 Python py/exit-from-finally 'break' or 'return' statement in finally
CWE‑706 C++ cpp/path-injection Uncontrolled data used in path expression
CWE‑706 C# cs/path-injection Uncontrolled data used in path expression
CWE‑706 C# cs/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑706 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑706 C# cs/insecure-xml-read XML is read insecurely
CWE‑706 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑706 Go go/path-injection Uncontrolled data used in path expression
CWE‑706 Go go/unsafe-unzip-symlink Arbitrary file write extracting an archive containing symbolic links
CWE‑706 Go go/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑706 Java java/path-injection Uncontrolled data used in path expression
CWE‑706 Java java/path-injection-local Local-user-controlled data in path expression
CWE‑706 Java java/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑706 Java java/partial-path-traversal Partial path traversal vulnerability
CWE‑706 Java java/partial-path-traversal-from-remote Partial path traversal vulnerability from remote
CWE‑706 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑706 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑706 Java java/openstream-called-on-tainted-url openStream called on URLs created from remote source
CWE‑706 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑706 JavaScript js/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑706 JavaScript js/case-sensitive-middleware-path Case-sensitive middleware path
CWE‑706 JavaScript js/xxe XML external entity expansion
CWE‑706 JavaScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE‑706 Python py/path-injection Uncontrolled data used in path expression
CWE‑706 Python py/tarslip Arbitrary file write during tarfile extraction
CWE‑706 Python py/xxe XML external entity expansion
CWE‑706 Python py/zipslip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑706 Python py/tarslip-extended Arbitrary file write during tarfile extraction
CWE‑706 Python py/unsafe-unpacking Arbitrary file write during a tarball extraction from a user controlled source
CWE‑706 Ruby rb/zip-slip Arbitrary file access during archive extraction ("Zip Slip")
CWE‑706 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑706 Ruby rb/xxe XML external entity expansion
CWE‑706 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑706 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑707 C++ cpp/non-constant-format Non-constant format string
CWE‑707 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑707 C++ cpp/improper-null-termination Potential improper null termination
CWE‑707 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑707 C++ cpp/command-line-injection Uncontrolled data used in OS command
CWE‑707 C++ cpp/cgi-xss CGI script vulnerable to cross-site scripting
CWE‑707 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑707 C++ cpp/tainted-format-string Uncontrolled format string
CWE‑707 C++ cpp/tainted-format-string-through-global Uncontrolled format string (through global variable)
CWE‑707 C++ cpp/user-controlled-null-termination-tainted User-controlled data may not be null terminated
CWE‑707 C++ cpp/wordexp-injection Uncontrolled data used in wordexp command
CWE‑707 C# cs/path-injection Uncontrolled data used in path expression
CWE‑707 C# cs/command-line-injection Uncontrolled command line
CWE‑707 C# cs/stored-command-line-injection Uncontrolled command line from stored user input
CWE‑707 C# cs/web/stored-xss Stored cross-site scripting
CWE‑707 C# cs/web/xss Cross-site scripting
CWE‑707 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑707 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑707 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑707 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑707 C# cs/xml-injection XML injection
CWE‑707 C# cs/code-injection Improper control of generation of code
CWE‑707 C# cs/resource-injection Resource injection
CWE‑707 C# cs/log-forging Log entries created from user input
CWE‑707 C# cs/uncontrolled-format-string Uncontrolled format string
CWE‑707 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑707 C# cs/xml/xpath-injection XPath injection
CWE‑707 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑707 C# cs/web/disabled-header-checking Header checking disabled
CWE‑707 C# cs/webclient-path-injection Uncontrolled data used in a WebClient
CWE‑707 Go go/path-injection Uncontrolled data used in path expression
CWE‑707 Go go/command-injection Command built from user-controlled sources
CWE‑707 Go go/stored-command Command built from stored data
CWE‑707 Go go/reflected-xss Reflected cross-site scripting
CWE‑707 Go go/stored-xss Stored cross-site scripting
CWE‑707 Go go/sql-injection Database query built from user-controlled sources
CWE‑707 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑707 Go go/log-injection Log entries created from user input
CWE‑707 Go go/xml/xpath-injection XPath injection
CWE‑707 Go go/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Go go/dsn-injection SQL Data-source URI built from user-controlled sources
CWE‑707 Go go/dsn-injection-local SQL Data-source URI built from local user-controlled sources
CWE‑707 Go go/html-template-escaping-passthrough HTML template escaping passthrough
CWE‑707 Java java/jndi-injection JNDI lookup with user-controlled name
CWE‑707 Java java/xslt-injection XSLT transformation with user-controlled stylesheet
CWE‑707 Java java/relative-path-command Executing a command with a relative path
CWE‑707 Java java/command-line-injection Uncontrolled command line
CWE‑707 Java java/command-line-injection-local Local-user-controlled command line
CWE‑707 Java java/concatenated-command-line Building a command line with string concatenation
CWE‑707 Java java/android/webview-addjavascriptinterface Access Java object methods through JavaScript exposure
CWE‑707 Java java/android/websettings-javascript-enabled Android WebView JavaScript settings
CWE‑707 Java java/xss Cross-site scripting
CWE‑707 Java java/xss-local Cross-site scripting from local source
CWE‑707 Java java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE‑707 Java java/sql-injection Query built from user-controlled sources
CWE‑707 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑707 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Java java/android/arbitrary-apk-installation Android APK installation
CWE‑707 Java java/groovy-injection Groovy Language injection
CWE‑707 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑707 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑707 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑707 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑707 Java java/server-side-template-injection Server-side template injection
CWE‑707 Java java/netty-http-request-or-response-splitting Disabled Netty HTTP header validation
CWE‑707 Java java/http-response-splitting HTTP response splitting
CWE‑707 Java java/http-response-splitting-local HTTP response splitting from local source
CWE‑707 Java java/log-injection Log Injection
CWE‑707 Java java/tainted-format-string Use of externally-controlled format string
CWE‑707 Java java/tainted-format-string-local Use of externally-controlled format string from local source
CWE‑707 Java java/xml/xpath-injection XPath injection
CWE‑707 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑707 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑707 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑707 Java java/command-line-injection-extra Command Injection into Runtime.exec() with dangerous command
CWE‑707 Java java/command-line-injection-extra-local Command Injection into Runtime.exec() with dangerous command
CWE‑707 Java java/command-line-injection-experimental Uncontrolled command line (experimental sinks)
CWE‑707 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑707 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑707 Java java/beanshell-injection BeanShell injection
CWE‑707 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑707 Java java/jshell-injection JShell injection
CWE‑707 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑707 Java java/jython-injection Injection in Jython
CWE‑707 Java java/unsafe-eval Injection in Java Script Engine
CWE‑707 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑707 Java java/spring-view-manipulation Spring View Manipulation
CWE‑707 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑707 JavaScript js/angular/disabling-sce Disabling SCE
CWE‑707 JavaScript js/disabling-electron-websecurity Disabling Electron webSecurity
CWE‑707 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑707 JavaScript js/identity-replacement Replacement of a substring with itself
CWE‑707 JavaScript js/path-injection Uncontrolled data used in path expression
CWE‑707 JavaScript js/template-object-injection Template Object Injection
CWE‑707 JavaScript js/command-line-injection Uncontrolled command line
CWE‑707 JavaScript js/indirect-command-line-injection Indirect uncontrolled command line
CWE‑707 JavaScript js/second-order-command-line-injection Second order command injection
CWE‑707 JavaScript js/shell-command-injection-from-environment Shell command built from environment values
CWE‑707 JavaScript js/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑707 JavaScript js/unnecessary-use-of-cat Unnecessary use of cat process
CWE‑707 JavaScript js/xss-through-exception Exception text reinterpreted as HTML
CWE‑707 JavaScript js/reflected-xss Reflected cross-site scripting
CWE‑707 JavaScript js/stored-xss Stored cross-site scripting
CWE‑707 JavaScript js/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑707 JavaScript js/unsafe-jquery-plugin Unsafe jQuery plugin
CWE‑707 JavaScript js/xss Client-side cross-site scripting
CWE‑707 JavaScript js/xss-through-dom DOM text reinterpreted as HTML
CWE‑707 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑707 JavaScript js/code-injection Code injection
CWE‑707 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑707 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑707 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑707 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑707 JavaScript js/bad-tag-filter Bad HTML filtering regexp
CWE‑707 JavaScript js/double-escaping Double escaping or unescaping
CWE‑707 JavaScript js/incomplete-html-attribute-sanitization Incomplete HTML attribute sanitization
CWE‑707 JavaScript js/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑707 JavaScript js/incomplete-sanitization Incomplete string escaping or encoding
CWE‑707 JavaScript js/unsafe-html-expansion Unsafe expansion of self-closing HTML tag
CWE‑707 JavaScript js/log-injection Log injection
CWE‑707 JavaScript js/tainted-format-string Use of externally-controlled format string
CWE‑707 JavaScript js/client-side-unvalidated-url-redirection Client-side URL redirect
CWE‑707 JavaScript js/xpath-injection XPath injection
CWE‑707 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑707 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑707 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑707 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑707 JavaScript js/command-line-injection-more-sources Uncontrolled command line with additional heuristic sources
CWE‑707 JavaScript js/xss-more-sources Client-side cross-site scripting with additional heuristic sources
CWE‑707 JavaScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE‑707 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑707 JavaScript js/log-injection-more-sources Log injection with additional heuristic sources
CWE‑707 JavaScript js/tainted-format-string-more-sources Use of externally-controlled format string with additional heuristic sources
CWE‑707 JavaScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE‑707 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑707 Python py/path-injection Uncontrolled data used in path expression
CWE‑707 Python py/command-line-injection Uncontrolled command line
CWE‑707 Python py/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑707 Python py/jinja2/autoescape-false Jinja2 templating with autoescape=False
CWE‑707 Python py/reflective-xss Reflected server-side cross-site scripting
CWE‑707 Python py/sql-injection SQL query built from user-controlled sources
CWE‑707 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑707 Python py/code-injection Code injection
CWE‑707 Python py/bad-tag-filter Bad HTML filtering regexp
CWE‑707 Python py/log-injection Log Injection
CWE‑707 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑707 Python py/template-injection Server Side Template Injection
CWE‑707 Python py/paramiko-command-injection RCE with user provided command with paramiko ssh client
CWE‑707 Python py/reflective-xss-email Reflected server-side cross-site scripting
CWE‑707 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑707 Python py/header-injection HTTP Header Injection
CWE‑707 Python py/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑707 Python py/nosql-injection NoSQL Injection
CWE‑707 Ruby rb/unicode-bypass-validation Bypass Logical Validation Using Unicode Characters
CWE‑707 Ruby rb/ldap-injection LDAP Injection
CWE‑707 Ruby rb/server-side-template-injection Server-side template injection
CWE‑707 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE‑707 Ruby rb/path-injection Uncontrolled data used in path expression
CWE‑707 Ruby rb/command-line-injection Uncontrolled command line
CWE‑707 Ruby rb/kernel-open Use of Kernel.open, IO.read or similar sinks with user-controlled input
CWE‑707 Ruby rb/non-constant-kernel-open Use of Kernel.open or IO.read or similar sinks with a non-constant value
CWE‑707 Ruby rb/shell-command-constructed-from-input Unsafe shell command constructed from library input
CWE‑707 Ruby rb/reflected-xss Reflected server-side cross-site scripting
CWE‑707 Ruby rb/stored-xss Stored cross-site scripting
CWE‑707 Ruby rb/html-constructed-from-input Unsafe HTML constructed from library input
CWE‑707 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE‑707 Ruby rb/code-injection Code injection
CWE‑707 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑707 Ruby rb/bad-tag-filter Bad HTML filtering regexp
CWE‑707 Ruby rb/incomplete-multi-character-sanitization Incomplete multi-character sanitization
CWE‑707 Ruby rb/incomplete-sanitization Incomplete string escaping or encoding
CWE‑707 Ruby rb/log-injection Log injection
CWE‑707 Ruby rb/tainted-format-string Use of externally-controlled format string
CWE‑707 Swift swift/command-line-injection System command built from user-controlled sources
CWE‑707 Swift swift/path-injection Uncontrolled data used in path expression
CWE‑707 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑707 Swift swift/sql-injection Database query built from user-controlled sources
CWE‑707 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑707 Swift swift/bad-tag-filter Bad HTML filtering regexp
CWE‑707 Swift swift/uncontrolled-format-string Uncontrolled format string
CWE‑707 Swift swift/predicate-injection Predicate built from user-controlled sources
CWE‑710 C++ cpp/unused-local-variable Unused local variable
CWE‑710 C++ cpp/unused-static-function Unused static function
CWE‑710 C++ cpp/unused-static-variable Unused static variable
CWE‑710 C++ cpp/dead-code-condition Branching condition always evaluates to same value
CWE‑710 C++ cpp/dead-code-function Function is never called
CWE‑710 C++ cpp/dead-code-goto Dead code due to goto or break statement
CWE‑710 C++ cpp/double-free Potential double free
CWE‑710 C++ cpp/inconsistent-nullness-testing Inconsistent null check of pointer
CWE‑710 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑710 C++ cpp/missing-null-test Returned pointer not checked
CWE‑710 C++ cpp/unused-variable Variable is assigned a value that is never read
CWE‑710 C++ cpp/fixme-comment FIXME comment
CWE‑710 C++ cpp/todo-comment TODO comment
CWE‑710 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑710 C++ cpp/wrong-number-format-arguments Too few arguments to formatting function
CWE‑710 C++ cpp/wrong-type-format-argument Wrong type of arguments to formatting function
CWE‑710 C++ cpp/inconsistent-null-check Inconsistent nullness check
CWE‑710 C++ cpp/useless-expression Expression has no effect
CWE‑710 C++ cpp/pointer-overflow-check Pointer overflow check
CWE‑710 C++ cpp/bad-strncpy-size Possibly wrong buffer size in string copy
CWE‑710 C++ cpp/suspicious-call-to-memset Suspicious call to memset
CWE‑710 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑710 C++ cpp/unsafe-strcat Potentially unsafe use of strcat
CWE‑710 C++ cpp/redundant-null-check-simple Redundant null check due to previous dereference
CWE‑710 C++ cpp/too-few-arguments Call to function with fewer arguments than declared parameters
CWE‑710 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑710 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑710 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑710 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑710 C++ cpp/dangerous-function-overflow Use of dangerous function
CWE‑710 C++ cpp/dangerous-cin Dangerous use of 'cin'
CWE‑710 C++ cpp/potentially-dangerous-function Use of potentially dangerous function
CWE‑710 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑710 C++ cpp/twice-locked Mutex locked twice
CWE‑710 C++ cpp/unreleased-lock Lock may not be released
CWE‑710 C++ cpp/redundant-null-check-param Redundant null check or missing null check of parameter
CWE‑710 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑710 C++ cpp/wrong-use-of-the-umask Find the wrong use of the umask function.
CWE‑710 C++ cpp/experimental-double-free Errors When Double Free
CWE‑710 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑710 C++ cpp/operator-find-incorrectly-used-switch Incorrect switch statement
CWE‑710 C++ cpp/double-release Errors When Double Release
CWE‑710 C++ cpp/errors-of-undefined-program-behavior Errors Of Undefined Program Behavior
CWE‑710 C# cs/call-to-obsolete-method Call to obsolete method
CWE‑710 C# cs/inconsistent-equals-and-gethashcode Inconsistent Equals(object) and GetHashCode()
CWE‑710 C# cs/todo-comment TODO comment
CWE‑710 C# cs/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑710 C# cs/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑710 C# cs/unused-reftype Dead reference types
CWE‑710 C# cs/useless-assignment-to-local Useless assignment to local variable
CWE‑710 C# cs/unused-field Unused field
CWE‑710 C# cs/unused-method Unused method
CWE‑710 C# cs/captured-foreach-variable Capturing a foreach variable
CWE‑710 C# cs/useless-cast-to-self Cast to same type
CWE‑710 C# cs/useless-is-before-as Useless 'is' before 'as'
CWE‑710 C# cs/coalesce-of-identical-expressions Useless ?? expression
CWE‑710 C# cs/useless-type-test Useless type test
CWE‑710 C# cs/useless-upcast Useless upcast
CWE‑710 C# cs/empty-collection Container contents are never initialized
CWE‑710 C# cs/unused-collection Container contents are never accessed
CWE‑710 C# cs/invalid-dynamic-call Bad dynamic call
CWE‑710 C# cs/empty-lock-statement Empty lock statement
CWE‑710 C# cs/linq/useless-select Redundant Select
CWE‑710 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑710 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑710 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑710 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑710 Go go/comparison-of-identical-expressions Comparison of identical values
CWE‑710 Go go/useless-assignment-to-field Useless assignment to field
CWE‑710 Go go/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Go go/duplicate-branches Duplicate 'if' branches
CWE‑710 Go go/duplicate-condition Duplicate 'if' condition
CWE‑710 Go go/duplicate-switch-case Duplicate switch case
CWE‑710 Go go/useless-expression Expression has no effect
CWE‑710 Go go/redundant-operation Identical operands
CWE‑710 Go go/redundant-assignment Self assignment
CWE‑710 Go go/unreachable-statement Unreachable statement
CWE‑710 Go go/hardcoded-credentials Hard-coded credentials
CWE‑710 Go go/pam-auth-bypass PAM authorization bypass due to incorrect usage
CWE‑710 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑710 Java java/deprecated-call Deprecated method or constructor invocation
CWE‑710 Java java/dead-class Dead class
CWE‑710 Java java/dead-enum-constant Dead enum constant
CWE‑710 Java java/dead-field Dead field
CWE‑710 Java java/dead-function Dead method
CWE‑710 Java java/lines-of-dead-code Lines of dead code in files
CWE‑710 Java java/unused-parameter Useless parameter
CWE‑710 Java java/ejb/container-interference EJB interferes with container operation
CWE‑710 Java java/ejb/file-io EJB uses file input/output
CWE‑710 Java java/ejb/graphics EJB uses graphics
CWE‑710 Java java/ejb/native-code EJB uses native code
CWE‑710 Java java/ejb/reflection EJB uses reflection
CWE‑710 Java java/ejb/security-configuration-access EJB accesses security configuration
CWE‑710 Java java/ejb/substitution-in-serialization EJB uses substitution in serialization
CWE‑710 Java java/ejb/socket-or-stream-handler-factory EJB sets socket factory or URL stream handler factory
CWE‑710 Java java/ejb/server-socket EJB uses server socket
CWE‑710 Java java/ejb/non-final-static-field EJB uses non-final static field
CWE‑710 Java java/ejb/synchronization EJB uses synchronization
CWE‑710 Java java/ejb/this EJB uses 'this' as argument or result
CWE‑710 Java java/ejb/threads EJB uses threads
CWE‑710 Java java/useless-null-check Useless null check
CWE‑710 Java java/useless-type-test Useless type test
CWE‑710 Java java/useless-upcast Useless upcast
CWE‑710 Java java/missing-call-to-super-clone Missing super clone
CWE‑710 Java java/empty-container Container contents are never initialized
CWE‑710 Java java/unused-container Container contents are never accessed
CWE‑710 Java java/inconsistent-equals-and-hashcode Inconsistent equals and hashCode
CWE‑710 Java java/constant-comparison Useless comparison test
CWE‑710 Java java/unreleased-lock Unreleased lock
CWE‑710 Java java/missing-super-finalize Finalizer inconsistency
CWE‑710 Java java/missing-format-argument Missing format argument
CWE‑710 Java java/unused-format-argument Unused format argument
CWE‑710 Java java/dereferenced-value-is-always-null Dereferenced variable is always null
CWE‑710 Java java/dereferenced-expr-may-be-null Dereferenced expression may be null
CWE‑710 Java java/dereferenced-value-may-be-null Dereferenced variable may be null
CWE‑710 Java java/empty-synchronized-block Empty synchronized block
CWE‑710 Java java/unreachable-catch-clause Unreachable catch clause
CWE‑710 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑710 Java java/potentially-dangerous-function Use of a potentially dangerous function
CWE‑710 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑710 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑710 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑710 Java java/hardcoded-password-field Hard-coded password field
CWE‑710 Java java/todo-comment TODO/FIXME comments
CWE‑710 Java java/unused-reference-type Unused classes and interfaces
CWE‑710 Java java/overwritten-assignment-to-local Assigned value is overwritten
CWE‑710 Java java/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Java java/empty-finalizer Empty body of finalizer
CWE‑710 Java java/unused-initialized-local Local variable is initialized but not used
CWE‑710 Java java/local-variable-is-never-read Unread local variable
CWE‑710 Java java/unused-field Unused field
CWE‑710 Java java/unused-label Unused label
CWE‑710 Java java/unused-local-variable Unused local variable
CWE‑710 Java java/switch-fall-through Unterminated switch case
CWE‑710 Java java/redundant-cast Unnecessary cast
CWE‑710 Java java/unused-import Unnecessary import
CWE‑710 JavaScript js/todo-comment TODO comment
CWE‑710 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑710 JavaScript js/malformed-html-id Malformed id attribute
CWE‑710 JavaScript js/eval-like-call Call to eval-like DOM function
CWE‑710 JavaScript js/variable-initialization-conflict Conflicting variable initialization
CWE‑710 JavaScript js/function-declaration-conflict Conflicting function declarations
CWE‑710 JavaScript js/useless-assignment-to-global Useless assignment to global variable
CWE‑710 JavaScript js/useless-assignment-to-local Useless assignment to local variable
CWE‑710 JavaScript js/overwritten-property Overwritten property
CWE‑710 JavaScript js/comparison-of-identical-expressions Comparison of identical values
CWE‑710 JavaScript js/comparison-with-nan Comparison with NaN
CWE‑710 JavaScript js/duplicate-condition Duplicate 'if' condition
CWE‑710 JavaScript js/duplicate-property Duplicate property
CWE‑710 JavaScript js/duplicate-switch-case Duplicate switch case
CWE‑710 JavaScript js/useless-expression Expression has no effect
CWE‑710 JavaScript js/comparison-between-incompatible-types Comparison between inconvertible types
CWE‑710 JavaScript js/redundant-operation Identical operands
CWE‑710 JavaScript js/redundant-assignment Self assignment
CWE‑710 JavaScript js/call-to-non-callable Invocation of non-function
CWE‑710 JavaScript js/property-access-on-non-object Property access on null or undefined
CWE‑710 JavaScript js/unneeded-defensive-code Unneeded defensive code
CWE‑710 JavaScript js/useless-type-test Useless type test
CWE‑710 JavaScript js/conditional-comment Conditional comments
CWE‑710 JavaScript js/eval-call Use of eval
CWE‑710 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑710 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑710 JavaScript js/superfluous-trailing-arguments Superfluous trailing arguments
CWE‑710 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑710 JavaScript js/node/assignment-to-exports-variable Assignment to exports variable
CWE‑710 JavaScript js/regex/unmatchable-caret Unmatchable caret in regular expression
CWE‑710 JavaScript js/regex/unmatchable-dollar Unmatchable dollar in regular expression
CWE‑710 JavaScript js/remote-property-injection Remote property injection
CWE‑710 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑710 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑710 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑710 JavaScript js/http-to-file-access Network data written to file
CWE‑710 JavaScript js/useless-assignment-in-return Return statement assigns local variable
CWE‑710 JavaScript js/unreachable-statement Unreachable statement
CWE‑710 JavaScript js/trivial-conditional Useless conditional
CWE‑710 JavaScript js/remote-property-injection-more-sources Remote property injection with additional heuristic sources
CWE‑710 Python py/equals-hash-mismatch Inconsistent equality and hashing
CWE‑710 Python py/call/wrong-named-class-argument Wrong name for an argument in a class instantiation
CWE‑710 Python py/call/wrong-number-class-arguments Wrong number of arguments in a class instantiation
CWE‑710 Python py/unreachable-except Unreachable 'except' block
CWE‑710 Python py/super-not-enclosing-class First argument to super() is not enclosing class
CWE‑710 Python py/comparison-of-constants Comparison of constants
CWE‑710 Python py/comparison-of-identical-expressions Comparison of identical values
CWE‑710 Python py/comparison-missing-self Maybe missing 'self' in comparison
CWE‑710 Python py/redundant-comparison Redundant comparison
CWE‑710 Python py/duplicate-key-dict-literal Duplicate key in dict literal
CWE‑710 Python py/call/wrong-named-argument Wrong name for an argument in a call
CWE‑710 Python py/percent-format/wrong-arguments Wrong number of arguments for format
CWE‑710 Python py/call/wrong-arguments Wrong number of arguments in a call
CWE‑710 Python py/import-deprecated-module Import of deprecated module
CWE‑710 Python py/hardcoded-credentials Hard-coded credentials
CWE‑710 Python py/constant-conditional-expression Constant in conditional expression or statement
CWE‑710 Python py/redundant-assignment Redundant assignment
CWE‑710 Python py/ineffectual-statement Statement has no effect
CWE‑710 Python py/unreachable-statement Unreachable code
CWE‑710 Python py/multiple-definition Variable defined multiple times
CWE‑710 Python py/unused-local-variable Unused local variable
CWE‑710 Python py/unused-global-variable Unused global variable
CWE‑710 Ruby rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑710 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑710 Ruby rb/http-to-file-access Network data written to file
CWE‑710 Ruby rb/useless-assignment-to-local Useless assignment to local variable
CWE‑710 Ruby rb/unused-parameter Unused parameter.
CWE‑710 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE‑710 Swift swift/constant-password Constant password
CWE‑710 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑732 C++ cpp/world-writable-file-creation File created without restricting permissions
CWE‑732 C++ cpp/open-call-with-mode-argument File opened with O_CREAT flag but without mode argument
CWE‑732 C++ cpp/unsafe-dacl-security-descriptor Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑732 Java java/local-temp-file-or-directory-information-disclosure Local information disclosure in a temporary directory
CWE‑732 Java java/world-writable-file-read Reading from a world writable file
CWE‑732 Python py/overly-permissive-file Overly permissive file permissions
CWE‑732 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE‑732 Ruby rb/overly-permissive-file Overly permissive file permissions
CWE‑733 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑749 Java java/android/unsafe-android-webview-fetch Unsafe resource fetching in Android WebView
CWE‑749 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑749 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑754 C++ cpp/missing-check-scanf Missing return-value check for a 'scanf'-like function
CWE‑754 C++ cpp/return-value-ignored Return value of a function is ignored
CWE‑754 C++ cpp/overflowing-snprintf Potentially overflowing call to snprintf
CWE‑754 C++ cpp/inconsistent-call-on-result Inconsistent operation on return value
CWE‑754 C++ cpp/ignore-return-value-sal SAL requires inspecting return value
CWE‑754 C++ cpp/hresult-boolean-conversion Cast between HRESULT and a Boolean type
CWE‑754 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑754 C++ cpp/work-with-changing-working-directories Find work with changing working directories, with security errors.
CWE‑754 C++ cpp/drop-linux-privileges-outoforder LinuxPrivilegeDroppingOutoforder
CWE‑754 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑754 C# cs/unchecked-return-value Unchecked return value
CWE‑754 Java java/inconsistent-call-on-result Inconsistent operation on return value
CWE‑754 Java java/return-value-ignored Method result ignored
CWE‑754 Java java/unsafe-cert-trust Unsafe certificate trust
CWE‑754 JavaScript js/unvalidated-dynamic-method-call Unvalidated dynamic method call
CWE‑754 Python py/ignored-return-value Ignored return value
CWE‑755 C++ cpp/incorrect-allocation-error-handling Incorrect allocation-error handling
CWE‑755 C++ cpp/operator-find-incorrectly-used-exceptions Operator Find Incorrectly Used Exceptions
CWE‑755 C# cs/dispose-not-called-on-throw Dispose may not be called if an exception is thrown during execution
CWE‑755 C# cs/local-not-disposed Missing Dispose call on local IDisposable
CWE‑755 C# cs/catch-nullreferenceexception Poor error handling: catch of NullReferenceException
CWE‑755 C# cs/empty-catch-block Poor error handling: empty catch block
CWE‑755 C# cs/catch-of-all-exceptions Generic catch clause
CWE‑755 C# cs/information-exposure-through-exception Information exposure through an exception
CWE‑755 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑755 Go go/stack-trace-exposure Information exposure through a stack trace
CWE‑755 Java java/stack-trace-exposure Information exposure through a stack trace
CWE‑755 Java java/overly-general-catch Overly-general catch clause
CWE‑755 Java java/android/nfe-local-android-dos Local Android DoS Caused By NumberFormatException
CWE‑755 JavaScript js/stack-trace-exposure Information exposure through a stack trace
CWE‑755 Python py/catch-base-exception Except block handles 'BaseException'
CWE‑755 Python py/empty-except Empty except
CWE‑755 Python py/stack-trace-exposure Information exposure through an exception
CWE‑755 Ruby rb/stack-trace-exposure Information exposure through an exception
CWE‑756 C# cs/web/missing-global-error-handler Missing global error handler
CWE‑757 Swift swift/insecure-tls Insecure TLS configuration
CWE‑758 C++ cpp/pointer-overflow-check Pointer overflow check
CWE‑758 C++ cpp/memset-may-be-deleted Call to memset may be deleted
CWE‑758 C++ cpp/errors-of-undefined-program-behavior Errors Of Undefined Program Behavior
CWE‑758 C# cs/captured-foreach-variable Capturing a foreach variable
CWE‑758 JavaScript js/conflicting-html-attribute Conflicting HTML element attributes
CWE‑758 JavaScript js/malformed-html-id Malformed id attribute
CWE‑758 JavaScript js/conditional-comment Conditional comments
CWE‑758 JavaScript js/non-standard-language-feature Use of platform-specific language features
CWE‑758 JavaScript js/for-in-comprehension Use of for-in comprehension blocks
CWE‑758 JavaScript js/yield-outside-generator Yield in non-generator function
CWE‑759 Java java/hash-without-salt Use of a hash function without a salt
CWE‑760 Swift swift/constant-salt Use of constant salts
CWE‑764 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑764 C++ cpp/twice-locked Mutex locked twice
CWE‑764 C++ cpp/unreleased-lock Lock may not be released
CWE‑764 Java java/unreleased-lock Unreleased lock
CWE‑770 C++ cpp/alloca-in-loop Call to alloca in a loop
CWE‑770 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑770 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑770 JavaScript js/resource-exhaustion Resource exhaustion
CWE‑770 JavaScript js/resource-exhaustion-more-sources Resource exhaustion with additional heuristic sources
CWE‑772 C++ cpp/catch-missing-free Leaky catch
CWE‑772 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑772 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑772 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑772 C++ cpp/file-never-closed Open file is not closed
CWE‑772 C++ cpp/memory-may-not-be-freed Memory may not be freed
CWE‑772 C++ cpp/memory-never-freed Memory is never freed
CWE‑772 C++ cpp/new-free-mismatch Mismatching new/free or malloc/delete
CWE‑772 C++ cpp/memory-leak-on-failed-call-to-realloc Memory leak on failed call to realloc
CWE‑772 Java java/input-resource-leak Potential input resource leak
CWE‑772 Java java/database-resource-leak Potential database resource leak
CWE‑772 Java java/output-resource-leak Potential output resource leak
CWE‑772 Python py/file-not-closed File is not always closed
CWE‑775 C++ cpp/descriptor-may-not-be-closed Open descriptor may not be closed
CWE‑775 C++ cpp/descriptor-never-closed Open descriptor never closed
CWE‑775 C++ cpp/file-may-not-be-closed Open file may not be closed
CWE‑775 C++ cpp/file-never-closed Open file is not closed
CWE‑776 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑776 C# cs/insecure-xml-read XML is read insecurely
CWE‑776 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑776 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑776 JavaScript js/xml-bomb XML internal entity expansion
CWE‑776 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑776 Python py/xml-bomb XML internal entity expansion
CWE‑776 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE‑776 Ruby rb/xxe XML external entity expansion
CWE‑776 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑780 C# cs/inadequate-rsa-padding Weak encryption: inadequate RSA padding
CWE‑780 Java java/rsa-without-oaep Use of RSA algorithm without OAEP
CWE‑783 C++ cpp/operator-precedence-logic-error-when-use-bitwise-logical-operations Operator Precedence Logic Error When Use Bitwise Or Logical Operations
CWE‑783 C++ cpp/operator-precedence-logic-error-when-use-bool-type Operator Precedence Logic Error When Use Bool Type
CWE‑783 Go go/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑783 Java java/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑783 JavaScript js/unclear-operator-precedence Unclear precedence of nested operators
CWE‑783 JavaScript js/whitespace-contradicts-precedence Whitespace contradicts operator precedence
CWE‑787 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑787 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑787 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑787 C++ cpp/badly-bounded-write Badly bounded write
CWE‑787 C++ cpp/overrunning-write Potentially overrunning write
CWE‑787 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑787 C++ cpp/unbounded-write Unbounded write
CWE‑787 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑787 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑787 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑787 C++ cpp/invalid-pointer-deref Invalid pointer dereference
CWE‑787 C++ cpp/sign-conversion-pointer-arithmetic unsigned to signed used in pointer arithmetic
CWE‑787 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑788 C++ cpp/allocation-too-small Not enough memory allocated for pointer type
CWE‑788 C++ cpp/suspicious-allocation-size Not enough memory allocated for array of pointer type
CWE‑788 C++ cpp/unsafe-strncat Potentially unsafe call to strncat
CWE‑788 C++ cpp/overflow-buffer Call to memory access function may overflow buffer
CWE‑788 C++ cpp/unterminated-variadic-call Unterminated variadic call
CWE‑788 C++ cpp/no-space-for-terminator No space for zero terminator
CWE‑788 C++ cpp/openssl-heartbleed Use of a version of OpenSSL with Heartbleed
CWE‑788 C++ cpp/access-memory-location-after-end-buffer-strlen Access Of Memory Location After End Of Buffer
CWE‑788 C# cs/unvalidated-local-pointer-arithmetic Unvalidated local pointer arithmetic
CWE‑788 Go go/wrong-usage-of-unsafe Wrong usage of package unsafe
CWE‑789 C++ cpp/uncontrolled-allocation-size Overflow in uncontrolled allocation size
CWE‑798 C# cs/hard-coded-symmetric-encryption-key Hard-coded symmetric encryption key
CWE‑798 C# cs/hardcoded-connection-string-credentials Hard-coded connection string with credentials
CWE‑798 C# cs/hardcoded-credentials Hard-coded credentials
CWE‑798 Go go/hardcoded-credentials Hard-coded credentials
CWE‑798 Go go/hardcoded-key Use of a hardcoded key for signing JWT
CWE‑798 Java java/hardcoded-credential-api-call Hard-coded credential in API call
CWE‑798 Java java/hardcoded-credential-comparison Hard-coded credential comparison
CWE‑798 Java java/hardcoded-credential-sensitive-call Hard-coded credential in sensitive call
CWE‑798 Java java/hardcoded-password-field Hard-coded password field
CWE‑798 JavaScript js/hardcoded-credentials Hard-coded credentials
CWE‑798 Python py/hardcoded-credentials Hard-coded credentials
CWE‑798 Ruby rb/hardcoded-credentials Hard-coded credentials
CWE‑798 Swift swift/constant-password Constant password
CWE‑798 Swift swift/hardcoded-key Hard-coded encryption key
CWE‑799 JavaScript js/missing-rate-limiting Missing rate limiting
CWE‑805 C++ cpp/badly-bounded-write Badly bounded write
CWE‑805 C++ cpp/overrunning-write Potentially overrunning write
CWE‑805 C++ cpp/overrunning-write-with-float Potentially overrunning write with float to string conversion
CWE‑805 C++ cpp/unbounded-write Unbounded write
CWE‑805 C++ cpp/very-likely-overrunning-write Likely overrunning write
CWE‑805 C++ cpp/buffer-access-with-incorrect-length-value Buffer access with incorrect length value
CWE‑807 C++ cpp/tainted-permissions-check Untrusted input for a condition
CWE‑807 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑807 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑807 Java java/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑807 Java java/tainted-permissions-check User-controlled data used in permissions check
CWE‑807 JavaScript js/user-controlled-bypass User-controlled bypass of security check
CWE‑807 JavaScript js/different-kinds-comparison-bypass Comparison of user-controlled data of different kinds
CWE‑807 JavaScript js/user-controlled-bypass-more-sources User-controlled bypass of security check with additional heuristic sources
CWE‑807 Ruby rb/user-controlled-bypass User-controlled bypass of security check
CWE‑820 C# cs/unsynchronized-static-access Unsynchronized access to static collection member in non-static context
CWE‑820 Java java/lazy-initialization Incorrect lazy initialization of a static field
CWE‑820 Java java/non-sync-override Non-synchronized override of synchronized method
CWE‑821 Java java/ejb/synchronization EJB uses synchronization
CWE‑821 Java java/call-to-thread-run Direct call to a run() method
CWE‑823 C++ cpp/late-negative-test Pointer offset used before it is checked
CWE‑823 C++ cpp/missing-negativity-test Unchecked return value used as offset
CWE‑825 C++ cpp/double-free Potential double free
CWE‑825 C++ cpp/use-after-free Potential use after free
CWE‑825 C++ cpp/return-stack-allocated-memory Returning stack-allocated memory
CWE‑825 C++ cpp/using-expired-stack-address Use of expired stack-address
CWE‑825 C++ cpp/experimental-double-free Errors When Double Free
CWE‑825 C++ cpp/dangerous-use-of-exception-blocks Dangerous use of exception blocks.
CWE‑826 C++ cpp/self-assignment-check Self assignment check
CWE‑827 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑827 C# cs/insecure-xml-read XML is read insecurely
CWE‑827 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑827 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑827 JavaScript js/xxe XML external entity expansion
CWE‑827 JavaScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE‑827 Python py/xxe XML external entity expansion
CWE‑827 Ruby rb/xxe XML external entity expansion
CWE‑827 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑829 C# cs/web/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑829 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑829 C# cs/insecure-xml-read XML is read insecurely
CWE‑829 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑829 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑829 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑829 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑829 JavaScript js/missing-x-frame-options Missing X-Frame-Options HTTP header
CWE‑829 JavaScript js/xxe XML external entity expansion
CWE‑829 JavaScript js/insecure-download Download of sensitive file through insecure connection
CWE‑829 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑829 JavaScript js/xxe-more-sources XML external entity expansion with additional heuristic sources
CWE‑829 Python py/xxe XML external entity expansion
CWE‑829 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑829 Ruby rb/xxe XML external entity expansion
CWE‑829 Ruby rb/insecure-download Download of sensitive file through insecure connection
CWE‑829 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑830 JavaScript js/functionality-from-untrusted-source Inclusion of functionality from an untrusted source
CWE‑833 C++ cpp/lock-order-cycle Cyclic lock order dependency
CWE‑833 C++ cpp/twice-locked Mutex locked twice
CWE‑833 C++ cpp/unreleased-lock Lock may not be released
CWE‑833 C# cs/locked-wait A lock is held during a wait
CWE‑833 Java java/sleep-with-lock-held Sleep with lock held
CWE‑833 Java java/unreleased-lock Unreleased lock
CWE‑833 Java java/wait-with-two-locks Wait with two locks held
CWE‑833 Java java/lock-order-inconsistency Lock order inconsistency
CWE‑834 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑834 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑834 C# cs/constant-condition Constant condition
CWE‑834 C# cs/linq/inconsistent-enumeration Bad multiple iteration
CWE‑834 C# cs/xml/insecure-dtd-handling Untrusted XML is read insecurely
CWE‑834 C# cs/insecure-xml-read XML is read insecurely
CWE‑834 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 Java java/constant-loop-condition Constant loop condition
CWE‑834 Java java/xxe Resolving XML external entity in user-controlled data
CWE‑834 Java java/xxe-local Resolving XML external entity in user-controlled data from local source
CWE‑834 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑834 JavaScript js/xml-bomb XML internal entity expansion
CWE‑834 JavaScript js/loop-bound-injection Loop bound injection
CWE‑834 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑834 JavaScript js/xml-bomb-more-sources XML internal entity expansion with additional heuristic sources
CWE‑834 Python py/xml-bomb XML internal entity expansion
CWE‑834 Python py/simple-xml-rpc-server-dos SimpleXMLRPCServer denial of service
CWE‑834 Ruby rb/xxe XML external entity expansion
CWE‑834 Swift swift/xxe Resolving XML external entity in user-controlled data
CWE‑835 C++ cpp/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 C++ cpp/comparison-with-wider-type Comparison of narrow type with wide type in loop condition
CWE‑835 C++ cpp/infinite-loop-with-unsatisfiable-exit-condition Infinite loop with unsatisfiable exit condition
CWE‑835 C# cs/constant-condition Constant condition
CWE‑835 Go go/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑835 Java java/constant-loop-condition Constant loop condition
CWE‑835 Java java/unreachable-exit-in-loop Loop with unreachable exit condition
CWE‑835 JavaScript js/inconsistent-loop-direction Inconsistent direction of for loop
CWE‑838 C# cs/inappropriate-encoding Inappropriate encoding
CWE‑843 C++ cpp/upcast-array-pointer-arithmetic Upcast array used in pointer arithmetic
CWE‑843 JavaScript js/type-confusion-through-parameter-tampering Type confusion through parameter tampering
CWE‑862 C# cs/empty-password-in-configuration Empty password in configuration file
CWE‑862 C# cs/web/missing-function-level-access-control Missing function level access control
CWE‑862 Java java/incorrect-url-verification Incorrect URL verification
CWE‑862 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑862 JavaScript js/empty-password-in-configuration-file Empty password in configuration file
CWE‑862 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑908 C++ cpp/improper-check-return-value-scanf Improper check of return value of scanf
CWE‑909 C++ cpp/initialization-not-run Initialization code not run
CWE‑912 JavaScript js/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑912 JavaScript js/http-to-file-access Network data written to file
CWE‑912 Ruby rb/hardcoded-data-interpreted-as-code Hard-coded data interpreted as code
CWE‑912 Ruby rb/http-to-file-access Network data written to file
CWE‑913 C# cs/code-injection Improper control of generation of code
CWE‑913 C# cs/deserialized-delegate Deserialized delegate
CWE‑913 C# cs/unsafe-deserialization Unsafe deserializer
CWE‑913 C# cs/unsafe-deserialization-untrusted-input Deserialization of untrusted data
CWE‑913 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑913 Java java/android/arbitrary-apk-installation Android APK installation
CWE‑913 Java java/groovy-injection Groovy Language injection
CWE‑913 Java java/insecure-bean-validation Insecure Bean Validation
CWE‑913 Java java/jexl-expression-injection Expression language injection (JEXL)
CWE‑913 Java java/mvel-expression-injection Expression language injection (MVEL)
CWE‑913 Java java/spel-expression-injection Expression language injection (Spring)
CWE‑913 Java java/server-side-template-injection Server-side template injection
CWE‑913 Java java/android/fragment-injection Android fragment injection
CWE‑913 Java java/android/fragment-injection-preference-activity Android fragment injection in PreferenceActivity
CWE‑913 Java java/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 Java java/log4j-injection Potential Log4J LDAP JNDI injection (CVE-2021-44228)
CWE‑913 Java java/beanshell-injection BeanShell injection
CWE‑913 Java java/android-insecure-dex-loading Insecure loading of an Android Dex File
CWE‑913 Java java/jshell-injection JShell injection
CWE‑913 Java java/javaee-expression-injection Jakarta Expression Language injection
CWE‑913 Java java/jython-injection Injection in Jython
CWE‑913 Java java/unsafe-eval Injection in Java Script Engine
CWE‑913 Java java/spring-view-manipulation-implicit Spring Implicit View Manipulation
CWE‑913 Java java/spring-view-manipulation Spring View Manipulation
CWE‑913 Java java/unsafe-reflection Use of externally-controlled input to select classes or code ('unsafe reflection')
CWE‑913 Java java/unsafe-deserialization-rmi Unsafe deserialization in a remotely callable method.
CWE‑913 Java java/unsafe-deserialization-spring-exporter-in-configuration-class Unsafe deserialization with Spring's remote service exporters.
CWE‑913 Java java/unsafe-deserialization-spring-exporter-in-xml-configuration Unsafe deserialization with Spring's remote service exporters.
CWE‑913 JavaScript js/enabling-electron-renderer-node-integration Enabling Node.js integration for Electron web content renderers
CWE‑913 JavaScript js/template-object-injection Template Object Injection
CWE‑913 JavaScript js/code-injection Code injection
CWE‑913 JavaScript js/actions/command-injection Expression injection in Actions
CWE‑913 JavaScript js/bad-code-sanitization Improper code sanitization
CWE‑913 JavaScript js/unsafe-code-construction Unsafe code constructed from library input
CWE‑913 JavaScript js/unsafe-dynamic-method-access Unsafe dynamic method access
CWE‑913 JavaScript js/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑913 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑913 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑913 JavaScript js/actions/pull-request-target Checkout of untrusted code in trusted context
CWE‑913 JavaScript js/code-injection-more-sources Code injection with additional heuristic sources
CWE‑913 JavaScript js/unsafe-deserialization-more-sources Deserialization of user-controlled data with additional heuristic sources
CWE‑913 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑913 Python py/code-injection Code injection
CWE‑913 Python py/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 Ruby rb/server-side-template-injection Server-side template injection
CWE‑913 Ruby rb/code-injection Code injection
CWE‑913 Ruby rb/unsafe-code-construction Unsafe code constructed from library input
CWE‑913 Ruby rb/unsafe-deserialization Deserialization of user-controlled data
CWE‑913 Swift swift/unsafe-webview-fetch Unsafe WebView fetch
CWE‑913 Swift swift/unsafe-js-eval JavaScript Injection
CWE‑915 JavaScript js/prototype-polluting-assignment Prototype-polluting assignment
CWE‑915 JavaScript js/prototype-pollution-utility Prototype-polluting function
CWE‑915 JavaScript js/prototype-pollution Prototype-polluting merge call
CWE‑915 JavaScript js/prototype-polluting-assignment-more-sources Prototype-polluting assignment with additional heuristic sources
CWE‑916 Java java/hash-without-salt Use of a hash function without a salt
CWE‑916 JavaScript js/insufficient-password-hash Use of password hash with insufficient computational effort
CWE‑916 Python py/weak-sensitive-data-hashing Use of a broken or weak cryptographic hashing algorithm on sensitive data
CWE‑916 Swift swift/constant-salt Use of constant salts
CWE‑916 Swift swift/insufficient-hash-iterations Insufficient hash iterations
CWE‑917 Java java/ognl-injection OGNL Expression Language statement with user-controlled input
CWE‑918 C# cs/request-forgery Server-side request forgery
CWE‑918 Go go/request-forgery Uncontrolled data used in network request
CWE‑918 Go go/ssrf Uncontrolled data used in network request
CWE‑918 Java java/ssrf Server-side request forgery
CWE‑918 JavaScript js/client-side-request-forgery Client-side request forgery
CWE‑918 JavaScript js/request-forgery Server-side request forgery
CWE‑918 JavaScript javascript/ssrf Uncontrolled data used in network request
CWE‑918 Python py/full-ssrf Full server-side request forgery
CWE‑918 Python py/partial-ssrf Partial server-side request forgery
CWE‑918 Ruby rb/request-forgery Server-side request forgery
CWE‑922 C++ cpp/cleartext-storage-buffer Cleartext storage of sensitive information in buffer
CWE‑922 C++ cpp/cleartext-storage-file Cleartext storage of sensitive information in file
CWE‑922 C++ cpp/cleartext-storage-database Cleartext storage of sensitive information in an SQLite database
CWE‑922 C# cs/password-in-configuration Password in configuration file
CWE‑922 C# cs/cleartext-storage-of-sensitive-information Clear text storage of sensitive information
CWE‑922 Go go/clear-text-logging Clear-text logging of sensitive information
CWE‑922 Java java/android/backup-enabled Application backup allowed
CWE‑922 Java java/android/cleartext-storage-database Cleartext storage of sensitive information using a local database on Android
CWE‑922 Java java/android/cleartext-storage-filesystem Cleartext storage of sensitive information in the Android filesystem
CWE‑922 Java java/cleartext-storage-in-class Cleartext storage of sensitive information using storable class
CWE‑922 Java java/cleartext-storage-in-cookie Cleartext storage of sensitive information in cookie
CWE‑922 Java java/cleartext-storage-in-properties Cleartext storage of sensitive information using 'Properties' class
CWE‑922 Java java/android/cleartext-storage-shared-prefs Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑922 JavaScript js/build-artifact-leak Storage of sensitive information in build artifact
CWE‑922 JavaScript js/clear-text-logging Clear-text logging of sensitive information
CWE‑922 JavaScript js/clear-text-storage-of-sensitive-data Clear text storage of sensitive information
CWE‑922 JavaScript js/password-in-configuration-file Password in configuration file
CWE‑922 JavaScript js/clear-text-cookie Clear text transmission of sensitive cookie
CWE‑922 Python py/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑922 Python py/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑922 Ruby rb/clear-text-logging-sensitive-data Clear-text logging of sensitive information
CWE‑922 Ruby rb/clear-text-storage-sensitive-data Clear-text storage of sensitive information
CWE‑922 Swift swift/cleartext-storage-database Cleartext storage of sensitive information in a local database
CWE‑922 Swift swift/cleartext-logging Cleartext logging of sensitive information
CWE‑922 Swift swift/cleartext-storage-preferences Cleartext storage of sensitive information in an application preference store
CWE‑923 C# cs/user-controlled-bypass User-controlled bypass of sensitive method
CWE‑923 Go go/insecure-hostkeycallback Use of insecure HostKeyCallback implementation
CWE‑923 Go go/sensitive-condition-bypass User-controlled bypassing of sensitive action
CWE‑923 Java java/insecure-smtp-ssl Insecure JavaMail SSL Configuration
CWE‑923 Java java/unsafe-hostname-verification Unsafe hostname verification
CWE‑923 Java java/socket-auth-race-condition Race condition in socket authentication
CWE‑923 Java java/maven/non-https-url Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑923 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑923 Java java/android/intent-redirection Android Intent redirection
CWE‑923 Java java/ignored-hostname-verification Ignored result of hostname verification
CWE‑923 Java java/insecure-ldaps-endpoint Insecure LDAPS Endpoint Configuration
CWE‑923 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑923 JavaScript js/disabling-certificate-validation Disabling certificate validation
CWE‑923 JavaScript js/insecure-dependency Dependency download using unencrypted communication channel
CWE‑923 Ruby rb/insecure-dependency Dependency download using unencrypted communication channel
CWE‑925 Java java/improper-intent-verification Improper verification of intent by broadcast receiver
CWE‑926 Java java/android/intent-uri-permission-manipulation Intent URI permission manipulation
CWE‑926 Java java/android/incomplete-provider-permissions Missing read or write permission in a content provider
CWE‑926 Java java/android/implicitly-exported-component Implicitly exported Android component
CWE‑926 Java java/android/intent-redirection Android Intent redirection
CWE‑927 Java java/android/implicit-pendingintents Use of implicit PendingIntents
CWE‑927 Java java/android/sensitive-communication Leaking sensitive information through an implicit Intent
CWE‑927 Java java/android/sensitive-result-receiver Leaking sensitive information through a ResultReceiver
CWE‑939 Java java/incorrect-url-verification Incorrect URL verification
CWE‑940 Java java/android/intent-redirection Android Intent redirection
CWE‑940 JavaScript js/missing-origin-check Missing origin verification in postMessage handler
CWE‑942 Go go/cors-misconfiguration CORS misconfiguration
CWE‑942 JavaScript js/cors-misconfiguration-for-credentials CORS misconfiguration for credentials transfer
CWE‑942 JavaScript js/cors-misconfiguration-for-credentials-more-sources CORS misconfiguration for credentials transfer with additional heuristic sources
CWE‑943 C++ cpp/sql-injection Uncontrolled data in SQL query
CWE‑943 C# cs/second-order-sql-injection SQL query built from stored user-controlled sources
CWE‑943 C# cs/sql-injection SQL query built from user-controlled sources
CWE‑943 C# cs/ldap-injection LDAP query built from user-controlled sources
CWE‑943 C# cs/stored-ldap-injection LDAP query built from stored user-controlled sources
CWE‑943 C# cs/xml/stored-xpath-injection Stored XPath injection
CWE‑943 C# cs/xml/xpath-injection XPath injection
CWE‑943 Go go/sql-injection Database query built from user-controlled sources
CWE‑943 Go go/unsafe-quoting Potentially unsafe quoting
CWE‑943 Go go/xml/xpath-injection XPath injection
CWE‑943 Go go/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Java java/concatenated-sql-query Query built by concatenation with a possibly-untrusted string
CWE‑943 Java java/sql-injection Query built from user-controlled sources
CWE‑943 Java java/sql-injection-local Query built from local-user-controlled sources
CWE‑943 Java java/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Java java/xml/xpath-injection XPath injection
CWE‑943 Java java/mybatis-annotation-sql-injection SQL injection in MyBatis annotation
CWE‑943 Java java/mybatis-xml-sql-injection SQL injection in MyBatis Mapper XML
CWE‑943 Java java/xquery-injection XQuery query built from user-controlled sources
CWE‑943 JavaScript js/sql-injection Database query built from user-controlled sources
CWE‑943 JavaScript js/xpath-injection XPath injection
CWE‑943 JavaScript js/sql-injection-more-sources Database query built from user-controlled sources with additional heuristic sources
CWE‑943 JavaScript js/xpath-injection-more-sources XPath injection with additional heuristic sources
CWE‑943 Python py/sql-injection SQL query built from user-controlled sources
CWE‑943 Python py/ldap-injection LDAP query built from user-controlled sources
CWE‑943 Python py/xpath-injection XPath query built from user-controlled sources
CWE‑943 Python py/xslt-injection XSLT query built from user-controlled sources
CWE‑943 Python py/nosql-injection NoSQL Injection
CWE‑943 Ruby rb/ldap-injection LDAP Injection
CWE‑943 Ruby rb/xpath-injection XPath query built from user-controlled sources
CWE‑943 Ruby rb/sql-injection SQL query built from user-controlled sources
CWE‑943 Swift swift/sql-injection Database query built from user-controlled sources
CWE‑943 Swift swift/predicate-injection Predicate built from user-controlled sources
CWE‑1004 C# cs/web/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE‑1004 Go go/cookie-httponly-not-set 'HttpOnly' attribute is not set to true
CWE‑1004 Java java/tomcat-disabled-httponly Tomcat config disables 'HttpOnly' flag (XSS risk)
CWE‑1004 Java java/sensitive-cookie-not-httponly Sensitive cookies without the HttpOnly response header set
CWE‑1004 JavaScript js/client-exposed-cookie Sensitive server cookie exposed to the client
CWE‑1022 JavaScript js/unsafe-external-link Potentially unsafe external link
CWE‑1041 C++ cpp/call-to-function-without-wrapper Missed opportunity to call wrapper function
CWE‑1078 C++ cpp/comma-before-misleading-indentation Comma before misleading indentation
CWE‑1104 Java java/maven/dependency-upon-bintray Depending upon JCenter/Bintray as an artifact repository
CWE‑1126 C++ cpp/errors-when-using-variable-declaration-inside-loop Errors When Using Variable Declaration Inside Loop
CWE‑1176 JavaScript js/angular/double-compilation Double compilation
CWE‑1204 Java java/static-initialization-vector Using a static initialization vector for encryption
CWE‑1204 Swift swift/static-initialization-vector Static initialization vector for encryption
CWE‑1236 Python py/csv-injection Csv Injection
CWE‑1275 JavaScript js/samesite-none-cookie Sensitive cookie without SameSite restrictions
CWE‑1275 Ruby rb/weak-cookie-configuration Weak cookie configuration
CWE‑1333 C# cs/redos Denial of Service from comparison of user input against expensive regex
CWE‑1333 Java java/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 Java java/redos Inefficient regular expression
CWE‑1333 JavaScript js/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 JavaScript js/redos Inefficient regular expression
CWE‑1333 Python py/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 Python py/redos Inefficient regular expression
CWE‑1333 Ruby rb/polynomial-redos Polynomial regular expression used on uncontrolled data
CWE‑1333 Ruby rb/redos Inefficient regular expression
CWE‑1333 Ruby rb/regexp-injection Regular expression injection
CWE‑1333 Swift swift/redos Inefficient regular expression
CWE‑1336 Java java/server-side-template-injection Server-side template injection
  • © GitHub, Inc.
  • Terms
  • Privacy